IPSEC VTI Redundant Tunnel

[matzeeg3]

Hey everyone, i am face a little problem and maybe i don´t know if i did something wrong or if i missunderstand something.
so here is what i like to do:
1 like to setup 2 VTI Tunnels to my Fortigate, the Fortigate has two different WANs and on the Fortigate Side everything worked as expected.

Now i am on the side of the opnsense i setup 2 Connections see attached "connctions_1.png" than i have 2 VTIs defined see "vti.png".

In the Gateway Section i setup the Gateways and an gateway group "gw.png" and "gwgroup.png".

At last step i create a policy with the gateway group in it.

so now if one vpn goes down i am not able to get any traffic from the opnsense to the fortigate.
i see traffic from fortigate is coming in but the opnsense try to send all traffic to the "down" gateway

[Monviech (Cedrik)]

Hello, the supported way to do ipsec failover is decribed here:

https://docs.opnsense.org/manual/how-tos/dynamic_routing_ospf.html#ipsec-failover-with-vti-and-ospf