IPsec VTI tunnel dropping PBR packets on OUT queue

keyser

Hi All.

I have been testing converting an increasingly complicated IPsec S2S tunnelmode tunnel to VTI to "simplify" my routing between two sites (lots of VLANs and subnets on both sites).

I have stumbled on a strange problem - I'm running 25.07.1:

The VTI tunnel works as expected and all subnets on both sides can talk without issue depending on my firewall rules on Enc0. I'm not using the advanced IPsec filtering mode with interface rules as I have a need for Mobile IPsec VPN tunnelmode on both sites.

I have ONE client on site B that I would like to use Internet from Site A, so I created a higher priority firewall rule granting it Internet access with a Policy based Route action using the auto created Site A VTI interface as gateway.
This does not work - the packets are all dropped on the Site B firewall (Errors on OUT Queue for the S2S interface).
I have used packet capture on both boxes, and the SiteB firewall thinks it's sending the policy routed packets correctly (I get them in my capture). But they are not sent - Site A does not receive any packets from the policy route action, and all packets impacted are added to the ERRORS counter on the Site B sending firewalls S2S interface Out Queue. All other packetflows between subnets on the sites works as expected over the very same tunnel.

Any ideas? I have tried creating the floating rule with relaxed interface binding for OUT traffic on the IPsec interface with no success.

keyser

I'm sorry to "summon" you like this @stephenw10 :-)

But you are the oracle on the intricacies of pfSense and its IPsec "behaviour".

Do you have any idea what might be causing what I'm experiencing? Is it a known bug as there seems issues with IPsec VTI in many setups now?