Web browser over IPSEC VTI tunnel doesn't work. Pings work though
-
I have a Pfsense 2.8.1 connecting to a Watchguard Firewall over ipsec VTI. I am pushing all traffic over the vpn. I am able to ping internet addresses just fine. Trace shows traffic going over the ipsec.
The VPN is setup from Site B (pfsense) to Site A (Watchguard). I am able to access web sites in Site A, but not the internet. I have other Sites but those Firewalls are also Watchguard and they never have a problem accessing the internet over the VPN. Not sure what I am missing on this setup. -
@KevCar87
Did you add an outbound NAT rule for the B LAN subnet at A? -
I did not make any changes on the Site A firewall. I have other sites connecting to site A and I never have to do anything. Although all the other sites are using Watchguard but I don't see how that would be different. Could be wrong. The policy for Site B is automatically added to the same policy as the others so I don't think there is a need. Besides, ping is working so doesn't that imply that Nat is functioning?
-
@KevCar87
As I got you, you want the devices a B to access the internet through A.
This requires, that the source addresses of this traffic is natted at A on the WAN interface. So you need to add an outbound NAT rule for it. Otherwise you won't have internet access at B.
Alternatively you can translate upstream traffic at B on the VTI interface. -
@KevCar87 said in Web browser over IPSEC VTI tunnel doesn't work. Pings work though:
I have other sites connecting to site A and I never have to do anything. Although all the other sites are using Watchguard but I don't see how that would be different.
Because WatchGuard gets paid to hand-hold—like 'automagically' configuring proper NAT between like boxes as you've now seen. Major difference.
Viragomann is something like the IPsec resident expert around here. Take that for what you will.
-
@viragomann
Yes, I am trying to get devices at B to go through A to access the internet. I am pretty sure that its being nat'ed. Wouldn't this be required in order for pings to work? I can ping office.com from site B but I can't browse to it. And I do know that the pings and browsing are going out A. Watchguard had a step by step set of instructions for Pfsense that I followed. I tried both route based and policy based. Same results.
Here are the instructions. I followed.
And thanks for the replies.https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/General/Pfsense_BOVPN.html
-
Here is the route based instructions that I am currently running.
https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/General/Pfsense_BOVPN_virtual_interface.html?tocpath=Integration%20Guides%7CFireware%7C_____91
-
@KevCar87 You might be able to make your preference, policy based or route based (VTI), work...
pfSense documentation on policy based (tunnel mode)
Otherwise, per that first warning box ("NAT is not currently compatible with route-based VTI IPsec tunnels without configuring an IPsec Filter Mode which is incompatible with tunnel-based IPsec."See Advanced IPsec Settings for details.")...
...route based (VTI) will require additional configuration beyond what the WatchGuard documentation appears to cover (more specifically here under "IPsec VTI Filtering").
