Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2 IPsec tunnels, matching Phase 2 policies -- how to choose default tunnel

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 790 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      microfiber
      last edited by

      Hi,

      My pfSense deployment involves two IPsec tunnels from our HQ to two VPN endpoints in different regions. From each regional endpoint, traffic may flow to the destination network, 10.0.20.0/24. We have our BGP routing set up such that the preferred tunnel (left side of diagram below, from pfSense-a to pfSense-us-west) has routing priority. (We are using the FRR routing package.)

      The preferred and backup tunnels each have a matching Phase 2 entry that looks like this:
      src = 172.16.10.0/24, dst = 10.0.20.0/24

      Even though the routing table indicates that the preferred tunnel should be used, we find that traffic sometimes uses the backup tunnel for egress, somehow giving Phase 2 entries priority over routing preference. Is there any way to have matching Phase 2 entries for two tunnels but to always have the preferred tunnel used when available?

      Thanks!

      -Mike

                                                    My Team
                                                172.16.10.0/24
                                                       +
                                                       |
                                           +-----------+-------------+
                                           |       pfSense-a         |
                       PREFERRED TUNNEL    |                         |     BACKUP TUNNEL
                                           +------+--------+---------+
                          IPsec Tunnel            |        |               IPsec Tunnel
                    +-----------------------------+        +-------------------------------+
                    |                                                                      |
          +----------------------+                                             +---------------------+
          |  pfSense-us-west     |                                             |    pfSense-us-east  |
          +---------+------------+                                             +------------+--------+
                    |                                                                       |
                    +-------------------------------+      +--------------------------------+
                            IPsec Tunnel            |      |               IPsec Tunnel
                                              +-----+------+------+
                                              |  StagingEnv       |
                                              |  10.0.20.0/24     |
                                              +-------------------+
      
      
      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        That won't work with tunneled IPsec. Whatever P2 matches first will grab the traffic, and the other will never match. It can't make decisions like that.

        That said, in 2.4.4 we have Routed IPsec (VTI) which could do what you are after. It's still undergoing testing, but it allows for routing protocols and other similar techniques to work with IPsec. And since you have pfSense on each node it shouldn't be a problem there. Once every node is on 2.4.4, you can switch the tunnels over to VTI and then have BGP use the IPsec interfaces directly.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        M 1 Reply Last reply Reply Quote 0
        • M
          microfiber @jimp
          last edited by

          @jimp Thank you very much for the response! Looking forward to v2.4.4 being released :)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.