2 IPsec tunnels, matching Phase 2 policies -- how to choose default tunnel

microfiber

Hi,

My pfSense deployment involves two IPsec tunnels from our HQ to two VPN endpoints in different regions. From each regional endpoint, traffic may flow to the destination network, 10.0.20.0/24. We have our BGP routing set up such that the preferred tunnel (left side of diagram below, from pfSense-a to pfSense-us-west) has routing priority. (We are using the FRR routing package.)

The preferred and backup tunnels each have a matching Phase 2 entry that looks like this:
src = 172.16.10.0/24, dst = 10.0.20.0/24

Even though the routing table indicates that the preferred tunnel should be used, we find that traffic sometimes uses the backup tunnel for egress, somehow giving Phase 2 entries priority over routing preference. Is there any way to have matching Phase 2 entries for two tunnels but to always have the preferred tunnel used when available?

Thanks!

-Mike

                                              My Team
                                          172.16.10.0/24
                                                 +
                                                 |
                                     +-----------+-------------+
                                     |       pfSense-a         |
                 PREFERRED TUNNEL    |                         |     BACKUP TUNNEL
                                     +------+--------+---------+
                    IPsec Tunnel            |        |               IPsec Tunnel
              +-----------------------------+        +-------------------------------+
              |                                                                      |
    +----------------------+                                             +---------------------+
    |  pfSense-us-west     |                                             |    pfSense-us-east  |
    +---------+------------+                                             +------------+--------+
              |                                                                       |
              +-------------------------------+      +--------------------------------+
                      IPsec Tunnel            |      |               IPsec Tunnel
                                        +-----+------+------+
                                        |  StagingEnv       |
                                        |  10.0.20.0/24     |
                                        +-------------------+

jimp

That won't work with tunneled IPsec. Whatever P2 matches first will grab the traffic, and the other will never match. It can't make decisions like that.

That said, in 2.4.4 we have Routed IPsec (VTI) which could do what you are after. It's still undergoing testing, but it allows for routing protocols and other similar techniques to work with IPsec. And since you have pfSense on each node it shouldn't be a problem there. Once every node is on 2.4.4, you can switch the tunnels over to VTI and then have BGP use the IPsec interfaces directly.

microfiber

@jimp Thank you very much for the response! Looking forward to v2.4.4 being released :)