Active/backup site to site IPSEC VPN

Started by bx2, February 06, 2026, 09:17:21 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 06, 2026, 09:17:21 PM
Hello everyone,

I have two Deciso DEC2752 units in a HA configuration that I am soon about to deploy.

At this moment I am nearly ready except I need to figure out how to configure my OPNsense deployment so that if my primary IPSEC VPN connection goes down, the secondary IPSEC VPN connection will establish.

The remote end are two Versa-SDWAN appliances. Versa #1 has one ISP connection and Versa #2 has the other IPS connection. Both ISP connections are for separate ISPs for redundancy.

Right now, my OPNsense cluster is configured for IPSEC VPN to Versa #1 Public IP. I can power off one of my OPNsense units and the other kicks in as expected.

But for whatever reason I cannot seem to figure out how to apply some kind of metric/weight to keep the primary IPSEC tunnel active and failover to the other IPSEC tunnel if my primary versa is down.

Would anybody be able to point me into the direction on what to read or how to accomplish this?


Thank you!
February 06, 2026, 09:22:44 PM #1
You configure a CARP address on the Internet facing (WAN) interface and use that as the endpoint for your IPsec tunnel(s). Connectivity will move with the CARP address in case the primary node fails.

Did you setup your HA cluster following the documentation? So you have a HA/CARP address on all interfaces?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 07:45:26 AM #2
Quote from: Patrick M. Hausen on February 06, 2026, 09:22:44 PMYou configure a CARP address on the Internet facing (WAN) interface and use that as the endpoint for your IPsec tunnel(s). Connectivity will move with the CARP address in case the primary node fails.

Did you setup your HA cluster following the documentation? So you have a HA/CARP address on all interfaces?

Yes I've got my HA cluster configured as per the documentation. My concern is not the OPNsense node failing but the other end. Be it a hardware failure or ISP being down, I am trying to get my OPNsense cluster to have a secondary IPSEC connection going to the opposite site, to their secondary connection.

Today at 09:30:35 AM #3
You could create the same two tunnels on both HA nodes and use dynamic routing to decide which one gets your traffic.

https://docs.opnsense.org/manual/how-tos/dynamic_routing_ospf.html#ipsec-failover-with-vti-and-ospf
Hardware:
DEC740
Print
Go Up Pages1
User actions