1. Home
  2. pfSense® Software
  3. IPsec
  4. 2 IPsec tunnels, matching Phase 2 policies -- how to choose default tunnel

2 IPsec tunnels, matching Phase 2 policies -- how to choose default tunnel

  • M

    Hi,

    My pfSense deployment involves two IPsec tunnels from our HQ to two VPN endpoints in different regions. From each regional endpoint, traffic may flow to the destination network, 10.0.20.0/24. We have our BGP routing set up such that the preferred tunnel (left side of diagram below, from pfSense-a to pfSense-us-west) has routing priority. (We are using the FRR routing package.)

    The preferred and backup tunnels each have a matching Phase 2 entry that looks like this:
    src = 172.16.10.0/24, dst = 10.0.20.0/24

    Even though the routing table indicates that the preferred tunnel should be used, we find that traffic sometimes uses the backup tunnel for egress, somehow giving Phase 2 entries priority over routing preference. Is there any way to have matching Phase 2 entries for two tunnels but to always have the preferred tunnel used when available?

    Thanks!

    -Mike

                                                  My Team
                                          172.16.10.0/24
                                                 +
                                                 |
                                     +-----------+-------------+
                                     |       pfSense-a         |
                 PREFERRED TUNNEL    |                         |     BACKUP TUNNEL
                                     +------+--------+---------+
                    IPsec Tunnel            |        |               IPsec Tunnel
              +-----------------------------+        +-------------------------------+
              |                                                                      |
    +----------------------+                                             +---------------------+
    |  pfSense-us-west     |                                             |    pfSense-us-east  |
    +---------+------------+                                             +------------+--------+
              |                                                                       |
              +-------------------------------+      +--------------------------------+
                      IPsec Tunnel            |      |               IPsec Tunnel
                                        +-----+------+------+
                                        |  StagingEnv       |
                                        |  10.0.20.0/24     |
                                        +-------------------+
    0
  • jimp
    Rebel Alliance Developer Netgate

    That won't work with tunneled IPsec. Whatever P2 matches first will grab the traffic, and the other will never match. It can't make decisions like that.

    That said, in 2.4.4 we have Routed IPsec (VTI) which could do what you are after. It's still undergoing testing, but it allows for routing protocols and other similar techniques to work with IPsec. And since you have pfSense on each node it shouldn't be a problem there. Once every node is on 2.4.4, you can switch the tunnels over to VTI and then have BGP use the IPsec interfaces directly.

    0 M 1 Reply
  • M

    @jimp Thank you very much for the response! Looking forward to v2.4.4 being released :)

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy