IPSec Phase 2's Combined/What Am I Not Understanding?
-
Hoping to get some clarity about this here, made a post about it a long long time ago and don't think I got any responses to it, so did more testing recently and was able to confirm.
When creating Phase 2's on IPSec VPNs in pfSense, it appears that they're "combined" when the VPN actually connects, establishing connectivity between subnets which aren't defined as connected to each other.
I think an example would make more sense.
Say we have 4 subnets (1 through 4), 2 at each site (Site A w/ 1 and 2, and Site B w/ 2 and 4), these 2 sites already have Phase 1 configured and functional.
Now say a Phase 2 is setup for Subnet 1 and Subnet 3 between Site A and B, and then an additional but separate Phase 2 is setup for Subnet 2 and Subnet 4 between A and B, in my testing Subnet 1 and Subnet 4 CAN communicate with each other, which seems maybe unintended? Or is there something about IPSec I don't really understand? As far as I was able to find online, in order for Subnet 1 and 4 to communicate you should have to setup an additional Phase 2 between those 2 subnets but that isn't the case here.
Again this is repeatable and something I have validated in live environments, and obviously you use firewall rules regardless so it may not be much/any security issue, but it seems abnormal to me. If desired I can spin something up in my lab to test this and show screenshots etc....
-
@planedrop Hmm, I think I have stumbled upon the same issue in a different usecase. In my case it actually prevents me from achieving what I intended, so this is a real problem for me.
https://forum.netgate.com/topic/187925/unexpected-phase-2-behaviour-combines-two-p2-to-one-established
It seems the Policy routing engine does not create a normal routing table but rather it does some sort of supernetting on local and remote nets - perhaps to attempt to only have one routeentry instead of a normal route table. But this is both highly problematic in terms of security and functionality.
