Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VTI IPsec with 3rd party routers that use policy routing

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 24 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L Offline
      lisandromassera
      last edited by

      I’ve run into this issue several times when setting up an IPsec VPN with third parties who typically use policy-based VPNs on their firewalls (Cisco, Palo Alto, etc.).

      On my side, I rely on SNAT/DNAT, so I need to use a routed/VTI tunnel. The problem is that these third-party firewalls expect an exactly matching Phase 2 selector. However, when using VTI, pfSense automatically adds 0.0.0.0/0, ::/0 to my proposal, which breaks the match.

      Questions:

      Is there a known workaround for this?

      Would it be possible to add an option in the IPsec tunnel settings — e.g., a checkbox like "Don’t add 0.0.0.0/0 to the proposal" — so that existing behavior is preserved, but those of us who need exact matches can configure it accordingly?

      V 1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann @lisandromassera
        last edited by

        @lisandromassera said in VTI IPsec with 3rd party routers that use policy routing:

        On my side, I rely on SNAT/DNAT, so I need to use a routed/VTI tunnel.

        Could you explain this statement, please?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.