Static routes ignored with the IPsec interface
-
Hello! First poster here, hopefully I'm not breaking any rules.
I have connected a pfSense instance (10.0.0.8) to a vendor network with an IPsec tunnel. The objective is very simple: for the machines in my local machine to be able to talk to a single host (10.80.70.11).
The tunnel seems to work fne, as from 10.0.0.8 I can ping 10.80.70.11 without any problem. I configured IPsec in VTI mode and created an interface as explained in the docs:After verifying that packets from my local machines for 10.80.70.11 are correctly routed to 10.0.0.8, I added the following static rule:
Unfortunately, this doesn't seem to work for me. When I go to the Diagnostics > Routes tab, this route is not shown. Local testing on 10.0.0.8 shows that the route doesn't exist at all as 10.80.70.11 gets triaged into 0.0.0.0:
[2.7.1-RELEASE][admin@pfsense]/root: route -n get 10.80.70.11 route to: 10.80.70.11 destination: 0.0.0.0 mask: 0.0.0.0 gateway: 10.0.0.254 fib: 0 interface: em0 flags: <UP,GATEWAY,DONE,STATIC> recvpipe sendpipe ssthresh rtt,msec mtu weight expire 0 0 0 0 1500 1 0
The weird thing is, if I change the interface of the route to something else (like null4), suddenly the rule appears in the diagnostics and from the command line:
[2.7.1-RELEASE][admin@pfsense]/root: route -n get 10.80.70.11 route to: 10.80.70.11 destination: 10.80.70.11 fib: 0 interface: lo0 flags: <UP,HOST,DONE,STATIC,BLACKHOLE> recvpipe sendpipe ssthresh rtt,msec mtu weight expire 0 0 0 0 16384 1 0
And meanwhile, when the correct static route is ignored, I am still able to ping 10.80.70.11 from the command line, which I cannot understand since the system routes don't even work:
[2.7.1-RELEASE][admin@pfsense]/root: ping 10.80.70.11 PING 10.80.70.11 (10.80.70.11): 56 data bytes 64 bytes from 10.80.70.11: icmp_seq=0 ttl=128 time=20.868 ms 64 bytes from 10.80.70.11: icmp_seq=1 ttl=128 time=20.493 ms 64 bytes from 10.80.70.11: icmp_seq=2 ttl=128 time=20.645 ms 64 bytes from 10.80.70.11: icmp_seq=3 ttl=128 time=20.301 ms
If anyone were so kind as to point out what I did wrong, it would be very appreciated.