Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Feature Request: Have IPSec listen on all members of a Gateway Group

    Scheduled Pinned Locked Moved
    Routing and Multi WAN
    multi wan ipsec firewall routing
    1
    1
    255
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SergeCaron
      last edited by SergeCaron

      Edit: Original post had misleading title. Senior moment.

      Running 2.4.4-RELEASE-p2 (amd64) with patch 67dd34a0996c14fdfeb1823e07fb3c82748d3794 (Bug #9404).

      You can have INBOUND connexions on all members of a Gateway Group: amongst other things, you can access the router regardless of the state of the Gateway Group. This is the simple matter of creating the firewall rules (NAT and al.).

      This box has a 2 tiers Gateway Group and a valid certificate is generated by let's Encrypt using pfSense's "ACME Certificates" service, meaning the box is accessible using HTTP/HTTPS via both gateways

      The certificate shows the alternate names:
      Nom DNS=altmonitoring.xyz.com
      Nom DNS=monitoring.xyz.com
      while the certificate object is "monitoring.xyz.com" matching the Hostname and Domain in pfSense's General Setup. The "Subject Alternate Name" was added to System -> Advanced -> Alternate Hostnames.

      There is no issue accessing the box either via https://monitoring.xyz.com trough the Tier 1 Gateway or via https://altmonitoring.xyz.com through the Tier 2 Gateway regardless of the state of the Gateway Group.

      In the IPSec tunnel for Mobile Client, the interface is set to "GW Group xyz".

      The box accepts incoming connections on the Tier 1 interface.

      The box ignores all isakmp packets on the Tier 2 interface: a typical packet is

      09:38:42.985707 IP (tos 0x0, ttl 58, id 11973, offset 0, flags [none], proto UDP (17), length 572)
      (Client IP).500 > (Tier 2 IP).500: isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]:
      (sa: len=44
      (p: #1 protoid=isakmp transform=4 len=44
      (t: #1 type=encr id=aes (type=keylen value=0100))
      (t: #2 type=integ id=#12 )
      (t: #3 type=prf id=#5 )
      (t: #4 type=dh id=modp2048 )))
      (v2ke: len=256 group=modp2048)
      (nonce: len=48 data=(d8bc36128c04cb550dc4...01528bbbc00696121849ab9a1c5b2a5100000002))
      (n: prot_id=#0 type=16430(status))
      (n: prot_id=#0 type=16388(nat_detection_source_ip))
      (n: prot_id=#0 type=16389(nat_detection_destination_ip))
      (v2vid: len=20 vid=.+Qi...}|......a....)
      (v2vid: len=16 vid=.....A.......U. )
      (v2vid: len=16 vid=&$M8..a..*6.....)
      (v2vid: len=20 vid=.R.......I...[*Q....)

      In the Command Prompt diagnostics, a simple pfctl -sr | grep "isakmp" yields

      pass in on em1 reply-to (em1 Tier 1 IP) inet proto udp from any to (self) port = isakmp keep state label "IPsec: Mobile Phase 1 - inbound isakmp"

      confirming that the Tier 2 IP address is excluded from the firewall rules.

      When the Tier 1 gateway fails, the rules are updated to reflect the Tier 2 IP and appropriate interface.

      Everything is setup to access this box using either Gateway: is it possible to have IPSec listen and accept INBOUND connexions from either Gateway?

      Regards,

      1 Reply Last reply Reply Quote 0
      • First post
        Last post