IPSec and Multi-IP Redundancy

[anomaly0617]

Hi there,

I'm a regular here. Been doing this awhile. But I tend to look for answers to questions before I post, and when I don't find the answers, I sometimes STILL don't post. But here's one I'm wondering about.

At our customers we've been shifting from dedicated fiber options that have an SLA with the internet service provider over to multiple "best effort" fiber and coaxial options without an SLA.

So, for instance, whereas before I had 30 x 30 Mbps dedicated fiber internet and my customer was paying nearly $700 a month for it, now we have 1 x 1 Gbps shared fiber as our primary connection and 960 Mbps x 40 Mbps shared coaxial as our backup solution. And our total bill is somewhere around $450 for both services combined. Each service has it's own block of 8 (5 usable) static IP addresses.

So, one of my larger customers has multiple locations, and they are doing this at both sites. They wanted me to set up VPN between the sites such that:

Location 1 Fiber >> Location 2 Fiber is preferred
Location 1 Fiber >> Location 2 Coax is acceptable
Location 1 Coax >> Location 2 Fiber is acceptable
Location 1 Coax >> Location 2 Coax is possible, but not preferred.

I had them on IPSec Site to Site VPN, and I discovered there was no way for me to set this up natively in OpnSense like this. In order to set it up, I had to use OpenVPN. OpenVPN allows for multiple "servers" on the client side, so this became doable as:

Location 2 Fiber >> Location 1 Fiber
Location 2 Fiber >> Location 1 Coax
Location 2 Coax >> Location 1 Fiber
Location 2 Coax >> Location 1 Coax

But, Location 1 cannot initiate the connection to Location 2. That's not the way OpenVPN was designed. Once is a "client" and one is a "server" whereas in IPSec each side is treated as an equal peer.

I'm seeing in the 23.x versions of OpnSense that there's a new "Connections" and "Pools" section in IPSec. Is IPSec getting the functionality I was hoping for above?

Thanks, in advance!