IKEv2 "RW-equivalent" S2S
-
Hello guys. I need some hints on how to design an IKEv2 deployment to remotely manage a multitude of pfSense boxes in the wild.
I have an USG which is already configured for other IKEv2 instances by manual editing of the strongswan config file. There are both pure RW/mobile conns and pure S2S ones defined and all working just fine.
To allow multiple pfSense boxes to reach the USG I cannot add a new conn stanza for each new pfSense box as it wouldn't scale.
The first thing I attempted was to setup a normal RW conn stanza on the USG assigning virtual IPs in tunnel mode to pfSense boxes but it seems I'm unable to set pfSense to request such virtual IP from the strongswan running on the USG side. I mean, I would easily do that by manually configuring strongswan files but I couldn't find a way for it.
The other attempt consisted in a degenerated S2S setup where pfSense site would restrict by local traffic selector the SA to a single IP statically defined at pfSense side, Please note that is not entirely optimal as giving control of which address to take on the pfSense side is something I would need to document into security assumptions reports. This, however isn't working as I can't manage to set this static IP on any actual interface in tunnel mode. VTI works, but the SA gets initiated without local traffic selector restrictions and the full virtual IPs subnet taken from remote USG is used (which is not good as on the USG I would get multiple P2 having the same remote subnet).
Any help is appreciated,
Cheers,
LuKe