Feature Request: Have IPSec listen on all members of a Gateway Group

  • Edit: Original post had misleading title. Senior moment.

    Running 2.4.4-RELEASE-p2 (amd64) with patch 67dd34a0996c14fdfeb1823e07fb3c82748d3794 (Bug #9404).

    You can have INBOUND connexions on all members of a Gateway Group: amongst other things, you can access the router regardless of the state of the Gateway Group. This is the simple matter of creating the firewall rules (NAT and al.).

    This box has a 2 tiers Gateway Group and a valid certificate is generated by let's Encrypt using pfSense's "ACME Certificates" service, meaning the box is accessible using HTTP/HTTPS via both gateways

    The certificate shows the alternate names:
    Nom DNS=altmonitoring.xyz.com
    Nom DNS=monitoring.xyz.com
    while the certificate object is "monitoring.xyz.com" matching the Hostname and Domain in pfSense's General Setup. The "Subject Alternate Name" was added to System -> Advanced -> Alternate Hostnames.

    There is no issue accessing the box either via https://monitoring.xyz.com trough the Tier 1 Gateway or via https://altmonitoring.xyz.com through the Tier 2 Gateway regardless of the state of the Gateway Group.

    In the IPSec tunnel for Mobile Client, the interface is set to "GW Group xyz".

    The box accepts incoming connections on the Tier 1 interface.

    The box ignores all isakmp packets on the Tier 2 interface: a typical packet is

    09:38:42.985707 IP (tos 0x0, ttl 58, id 11973, offset 0, flags [none], proto UDP (17), length 572)
    (Client IP).500 > (Tier 2 IP).500: isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]:
    (sa: len=44
    (p: #1 protoid=isakmp transform=4 len=44
    (t: #1 type=encr id=aes (type=keylen value=0100))
    (t: #2 type=integ id=#12 )
    (t: #3 type=prf id=#5 )
    (t: #4 type=dh id=modp2048 )))
    (v2ke: len=256 group=modp2048)
    (nonce: len=48 data=(d8bc36128c04cb550dc4...01528bbbc00696121849ab9a1c5b2a5100000002))
    (n: prot_id=#0 type=16430(status))
    (n: prot_id=#0 type=16388(nat_detection_source_ip))
    (n: prot_id=#0 type=16389(nat_detection_destination_ip))
    (v2vid: len=20 vid=.+Qi...}|......a....)
    (v2vid: len=16 vid=.....A.......U. )
    (v2vid: len=16 vid=&$M8..a..*6.....)
    (v2vid: len=20 vid=.R.......I...[*Q....)

    In the Command Prompt diagnostics, a simple pfctl -sr | grep "isakmp" yields

    pass in on em1 reply-to (em1 Tier 1 IP) inet proto udp from any to (self) port = isakmp keep state label "IPsec: Mobile Phase 1 - inbound isakmp"

    confirming that the Tier 2 IP address is excluded from the firewall rules.

    When the Tier 1 gateway fails, the rules are updated to reflect the Tier 2 IP and appropriate interface.

    Everything is setup to access this box using either Gateway: is it possible to have IPSec listen and accept INBOUND connexions from either Gateway?