IPsec with parallel EPS and AH phase 2 connections
• two IPsec tunnels between a pair of pfSense Netgate boxes, one of which encrypts the data (ESP) and the other does not (AH).
• some traffic between the two sites needs encryption
• other traffic is time-sensitive (audio over IP for broadcast radio), will be public in a few seconds anyhow (because, broadcast radio), and encryption introduces delay and CPU load
• Netgate SG-1100 box at each site
• pfSense 21-02p1 release installed in each
• no multi-WAN or CARP yet... trying to keep this simple on the lab bench until it works
• Ideally this would employ policy-based routing of traffic into either of the two tunnels, based on e.g., VLAN or tags. However, I read elsewhere that VTI is required to do this (at least with IKEv2 in phase 1), and that PBR has a bug with a completed fix planned for the next release.
• In the interim, the LAN address space has been partitioned such that some destinations would employ the ESP tunnel and others the AH tunnel.
I can only get one of the two tunnels to pass traffic. If the second phase 2 is defined, all traffic comes to a halt.
Approach 1: use one phase 1 IKEv2.
• split connection checked & WAN IPv4 addresses for the two Netgates are specified
• create first P2 as ESP, VTI
• VTI interface assignments are 10.0.1.112/24 and 10.0.1.160
• add interface and assign the resultant VTI
• add gateway, assign the VTI
• define static route to divert traffic to that gateway
end A: addresses 10.112.0.0/12 go to its VTI gateway
end B: addresses 10.160.0.0/12 go to the VTI gateway
So far, so good. Traffic flows happily.
Now to add the second P2 as an AH tunnel
• VTI interface assignments are 10.0.1.120/24 and 10.0.1.168
• add another interface and assign the resultant VTI for clear traffic
• add another gateway, and assign the new VTI to it
• define static route for a different address space
By now one can see in the dashboard that dead-man traffic flows in but without responses from the far end on both VTIs. If one rebooted the Netgates at this point, BOTH P2s would fail to exchange traffic.
An attempt to create two IKEv2 P1s between the same endpoints (with the multiple connections option checked) failed in the same way. One could define everything, but even the deadman traffic failed to flow & respond in the second VTI/P2.
In fact, even after deleting the second route, second interface, and second P2 traffic was still not flowing. A reboot of both Netgates was required to get back to a situation with one IKEv2 P1 containing one P2 running ESP.
Nothing appears in the IPsec or firewall logs.
Clearly I'm doing something wrong in setting up the second P2 AH. Suggestions welcome!