Why can't an interface be assigned to an IPSec tunnel like it can with OpenVPN

bradsm87 · Aug 28, 2016, 5:57 AM

Why can't an interface be assigned to an IPSec tunnel like it can with OpenVPN?

I'm looking to do this for load balancing. I'll use OpenVPN tunnels if I have to but I'm more familiar with IPsec VPNs and would prefer to use AES128-GCM to make the most of my AES-NI hardware.

sirozha · Aug 29, 2016, 12:30 AM

Good question. I think it's about the conceptual design of IPSec. I know for a fact, IPSec has no interface in Cisco gear either - be it IOS-based routers or ASAs. There's a crypto engine (software or hardware) that encrypts the packets based on access lists that determine which traffic should be encrypted and which should not, but the crypto map is applied to a physical interface out of which the packets are to be sent post-encryption. There's no IPSec interface per se.

bradsm87 · Aug 29, 2016, 3:00 AM

Is there another way to load balance two pfSense to pfSense IPSec tunnels?

sirozha · Aug 30, 2016, 5:41 AM

You have to encapsulate the traffic between the source and destination host subnets into a tunneling protocol, whose IP header will have two different sets of source and destination IPs for the two IPSec channels. This can be done either via a dynamic routing protocol that advertises the subnets and thus brings up the tunnel, which in turn triggers the IPSec encryption, or you can use static routes to bring up the tunnels, but there will have to be some traffic that would trigger bringing the tunnel up, such as an IP phone trying to register to a voice server on the other end of the tunnel, or something phoning home to the other side of the tunnel. IPSec will then encrypt the packets based on the source and destination IPs in the header of the tumneling protocol instead of based on the source and destination host subnets.

You would have to load balance host traffic among tunnels using static routes or a routing protocol with the next hop being the destination IP of tunnel on the other side of the WAN, and the interface to be routed out of being the tunneling protocol interface, which encapsulates the host traffic inside its headers when the traffic is routes out of such an interface.

IPSec will encrypt each tunnel into a discrete secure channel based on the dource and destination IPs in the header of the tunneling protocol and will use a discrete destination IP in the outer (clear text) IP header for each such IPSec channel. This IP is assigmed to the IPSec headend on the other side of the WAN. Therefore, you will need to create a discrete IKE Phase 2 policy for each such discrete IPSec channel. Each discrete IPSec channel will encrypt one discrete tunnel.

The tunneling protocol can be GRE and perhaps L2TP. I'm not sure if pfSense can do this encapsulation with site-to-site IPSec tunnels, but if it can't, you can encapsulate the traffic in a tunneling protocol header by another router and then route encapsulated traffic to pfSense for encryption by IPSec.

jimp · Aug 30, 2016, 2:59 PM

The simple reason you can't assign them is because there is nothing special to be gained by doing it; The benefits of assigning an interface don't apply to IPsec.

OpenVPN has one distinct interface per server or client (e.g. ovpnsX or ovpncX, which underneath may be a tunY or tapY).
IPsec only has one interface, enc0, no matter how many tunnels are defined.

The OpenVPN interfaces are routed interfaces that work like any other operating system interface in most respects. They have addresses, can have their own firewall rules, can have a gateway for policy routing, can route, etc, etc.
The IPsec interface does not route – neither traditionally nor using policy routing, it only works by policy matching Phase 2/SPD entries. Since there is only one enc0 interface there is no way to split up rules for one tunnel from another, so assigning makes no sense for that either.

Some day if we gain routed IPsec capabilities that will probably change.

mrpsycho · May 7, 2018, 10:40 PM

@jimp, am i getting right, that i can't use IPsec to move specific traffic over tunnel?

or… is there any way to push some routes thru IPsec?

I mean:

I have VPS for proxying some traffic. And want, that Google Services were routed thru it. At office I have pfSense. pfSense and VPS are connected via IPsec.
How can i send only "Google" traffic thru IPsec?
or it is impossible...

jimp · May 7, 2018, 10:46 PM

The only way to get traffic into IPsec in pfSense right now is by making a P2 definition to send it there. You can't route it, you can't send it into IPsec via policy routing. Only P2 definitions.

mrpsycho · May 8, 2018, 11:03 AM

thanks… and that sucks that p2 doen't anderstand aliases... or any other dynamic or semi-dynamic routes.

mrpsycho · May 14, 2018, 5:12 PM

@jimp, is it possible, that "Use non-local gateway" in gateways will help me?

jimp · May 14, 2018, 5:13 PM

No.

mrpsycho · May 14, 2018, 8:35 PM

thanks.

i totally understand it.

what i've needed is GRE, or GIF, or VTI.

jimp · May 25, 2018, 6:02 PM

FYI- We are making progress on IPsec VTI which will let this work. It should be in snapshots in the next week or so.