Using VIP subnet for routed VPN


  • I have managed to create this configuration on a different firewall product, and I'm wanting to recreate it using pfsense.

    In the other product, I am creating a network of virtual IP addresses, one address each assigned to routers in physically separated locations. The VIP subnet is 10.255.255.0/24. Location 1 gets 10.255.255.1, location 2 gets 10.255.255.2, location 3 gets 10.255.255.3, etc.

    When setting up IPSEC between these locations, I specify public IP addresses as my Phase 1 endpoints for a specific tunnel. However, for phase 2, instead of specifying the actual internal LANs on each location, I specify the listed virtual ip addresses (indirectly. In the competing firewall we are using, I am actually specifying the name of the virtual interface those virtual IPs live on. The firewall works it out from there). In other words, there is an intermediary network between each LAN composed entirely of VIPs, that they actual VPN tunnel is being established on.

    For traffic to be routed into the internal LANs from the virtual IP addresses, each location is implementing BGP, and each router announces its internal LAN routes to the other firewalls. This takes care of the routing and traffic flows normally. Its a nice configuration because you can change internal network topology at any particular location, without changing the intermediary 10.255.255.0/24 network, and BGP will take care of updating routing tables for you.

    I would like to replicate something like this in pfsense. One important difference I see in pfsense is that while there is a facility for VIPs, I don't know of any option to have a virtual interface. I got as far as establishing a VPN using a VIP network between location 1 and location 2, and I got pings from a host in location 1's LAN to be answered by the VIP assigned to location 2. I don't know if pings back from a host in location 2's LAN to location 1's VIP would've been answered. I never did get traffic to cross from LAN to LAN in different locations.

    I hope this post has made sense. Is anyone familiar with this configuration, and if it's doable on pfsense?