@stephenw10 any ideas?

@yathus said in Multiple VTI IPSEC tunnels with /30 on same 192.168.X.0 ?:

May be it's because one my client is not on latest version ? (2.4.4-p2)

That is likely the case. Some older versions didn't properly respect the configured subnet mask for VTI interfaces. Update both to a current version and try again.

Bump. Still haven't been able to figure this out.

Maybe an example of a running Cisco pfSense VTI tunnel connection with dynmaic routing helps:
Cisco-pfSense with VTI
Unfortunately in German but ist pretty self explaining.

Maybe it helps...
You can find a running Cisco pfSense VPN configuration here:

Cisco-pfSense with VTI

Unfortunately in German but the screenshot and config is pretty self explaining.

feature request created: https://redmine.pfsense.org/issues/11211

@Ziomalski do you have any further ideas here?

Turns our issue was related to network settings. As the remove subnet was /24 and I had 3 local connected to it pfsense did not like this.

Anyhow, changed all three P2s into a single one 192.168.0.0/16 BINAT 10.201.0.0/16 remote 10.0.0.0/16
and now it works flawless!

Hi, the error was found and corrected in the VPN configuration on the AWS side.
The pfSense LAN subnet is entered there under "Local IPv4 Network Cidr".
The VPC subnet must be entered under "Remote IPv4 Network Cidr".

AWS -> "VIRTUAL PRIVATE NETWORK (VPN)" -> "Site-to-Site VPN Connections":

aws-vps-ipsec.png

@kevindd992002
Yes, exactly.
I was sure to 100% that I got it corrent on both sides, but well... wasn't the case here.

@e37921 said in Traffic from internet through IPSEC VTI not returning the same way:

@kevindd992002
The solution for me was to use OPENVPN. Netgate informed me that there are some limitations in the free bsd software that cause this issue. I deleted my IPsec vpn and then built the site to site vpn using open vpn in pfsense. All my policy based routing worked fine after the switch.

I am new to pfsense and was used to using IPsec vpn's with other firewalls. I had never used open vpn therefore I started with IPsec. Open vpn is very simple to setup and works well. I am using it for site to site vpn with pfsense on both sides as well as for mobile vpn.

Hope this helps you.

Eric

Yeah, it's the other way around for me. Everything was working fine with OpenVPN but I needed to switch to IPsec because the bandwidth I'm getting with OpenVPN is limited by my hardware (APU2C4).

I consulted @jimp and confirmed that the workaround for this issues is this. The only caveat for setting that is it breaks policy-based IPsec tunnels, so if you use both route-based and policy-based then that would be a problem. As I'm using only route-based IPsec then I'm good. I'm testing now.

@jimp said in Routed IPSec reply-to:

It's a limitation in FreeBSD and there isn't any way to know if/when it'll be fixed there. We may direct some resources toward it eventually but no ETA on when we might be able to do something like that.

In some cases you may be able to work around it. If most of your needs are for web-based services then HAProxy may be able to help. Client on far side hits HAProxy which proxies to internal host... Since the remote client is talking to HAProxy, and HAProxy is talking to the server, no need for reply-to.

For non-web-based services like Plex and Deluge where I need to port forward on the local end to access these servers on the far end, can HAProxy work? I tried outbound NAT with IPsec on the local end and it is not working. It works for OpenVPN just fine.

@jimp

But does outbound NAT to the IPsec interface address work without any problems? It's not working for me.

@vegbrasil said in Handling DNS resolution when IPsec is down:

I manage to fix this problem with a better "option 3":

Unbound on the branch office forwards only the needed zones to the main office, while all other zones are being forwarded to public DNS servers (root or not).

Here's the complete step by step:

Make sure you have your preferred external DNS server set in System -> General Setup -> DNS Server Settings. Run DNS Resolver on the remote pfSense box but for the "Outgoing" interface, make sure you use the "LAN" interface, not the WAN. This is needed so that the requests go across the tunnel. Under the "Domain Overrides", enter the domains that you need to have resolved by the DNS at the main branch (i.e. ad.company.com) and the IP address of those DNS servers. You can also add the in-addr.arpa to those forwarding domains as well if reverse lookups are needed. If you have more than one server, duplicate the entry but change the DNS IP. Change the DHCP server settings to used the LAN address of the pfSense box as their DNS servers.

In this case, when the tunnel drops, the only items that will fail to resolve will be the ones that specifically are forwarded to the main branch.

I have the same setup although instead of using LAN in the outgoing interfaces in unbound, I use localhost OR use both WAN and the IPsec interface (as I use Routed VTI). This works the same way as you did but I'm not sure if there's an advantage.

Anybody can help please?

Turns out this is not related to high traffic via IPsec.

As it seems, this is related to ipsec tunnel only able to keep up 2 childs from 3 total. So at a givem time only 2 childs are operatable. If a new request from client comes that is routed via 3rd child, one of 2 active CAs gets disconnected and connections are lost.

Is this settings related, have I set something wrong, cant find anything related...

*Minor Update to the diagram

Cisco IPsec Network.png

"Not My Cisco Router 2" had IP Address 123.45.67.90 instead of IP Address 123.45.89.90 on the original post's diagram. I do not think that this changes my questions.

The original diagram represent what is actually working using Cisco hardware.

The following diagram is what I presently I am presently doing:
pfSense IPsec Network.png

I am basically trying to replace the "My Cisco Router"

I have a working IPsec tunnel between LANS: 10.10.10.0/24 and 10.10.20.0/24. I did this to test if an IPsec VPN between two pfSense routers would work as expected and second check the configuration on "My pfSense Router". I can report that at least the tunnel between my pfSense routers works.

@konstanti said in command for ip xfrm state:

ipsec statusall
or
swanctl --list-sas
or
setkey -D

Thanks a lot!