Hello Ron, Your problem is frequent, and is not as simple as you may think.
>From a router point of view, IPSec routing is before "interface" routing, and it is not displayed in routing table. So, a packet passing through the kernel is handled by IPSec stack. If you have an IPSec policy (up or down) which match, the packet is sent through ipsec. If not, it is sent through "classical" network. If your IPSec link is down (but configured), the packet is not forwarded (sent to /dev/null). So... 1) You have to make good phase 2 policies in which you exclude Layer 2 traffic. You may also try policy based routing on pfsense, to force a gateway (I used to make that). Google on that, there are many tutos on that cool feature. 2) On IPSec, you may use DPD (dead peer detection) and use the "ping" box to ensure ipsec continuous testing. I have not found any way to have a backup IPSec link when a L2 link is down. regards, Nicolas Le 21/02/2012 22:47, Ron Lemon a écrit : > > Good Afternoon, > > > > I have a 2.0 and 1.3 pfSense firewall (one in each of 2 buildings) and > these are joined via an IPSec link. We now have a layer 2 connection > between them as well. If the IPSec link is disabled on both sides > traffic traverses the Layer 2 link (which is good). So here is my > questions. > > > > 1. How can I make some of the traffic (backups for example) > always use the layer 2 link and never use the IPSec link (layer 2 has > no usage counter, IPSec does). This would also mean both sets of > traffic would flow faster because of no competition from the other > data. It seems the IPSec link has a higher priority than the layer 2 > that I can't seem to find or alter. > > > > 2. If only one side of the IPSec tunnel goes down the traffic > coming from the side that is up still tries (unsuccessfully) to use > the IPSec link. Traffic on the side with the failed or disabled IPSec > link correctly goes to the layer 2 link (how can I get both sides to > recognize the link is down)? Right now if my WAN link on one side > fails I can send traffic from this site to the other but not the reverse. > > > > I am guessing both answers are probably fairly obvious which is why I > can't see them for looking. > > > > Thanks, > > > > Ron > > > > > > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
