IPSec won't route out VPN, only WAN

ckraimer

Back when we were giving 2.1 a tryout, I tried to get some help with this one. http://forum.pfsense.org/index.php/topic,63049.msg341701.html#msg341701

All of the other challenges I had with 2.1 are gone and life is good.  This is my only remaining problem with 2.1

I have an always on OpenVPN tunnel going where the PFsense box is the client.  It's also an Openvpn and IPSec server.  When my clients connect through the OpenVPN server they route out to the internet through the always-on Openvpn tunnel as they should.  But when my IPSec clients connect they route out the WAN connection.  In my Firewall Rules I have:
IPv4 * 10.10.7.0/24 * * * VPN_DHCP none

This worked as you would expect in 2.03, but 2.1 still won't route traffic out the VPN, only the WAN.

Any Suggestions?

ckraimer

Can anyone offer help here?

ckraimer

Does this help?  It's a snip from my IPSEC log after I did a fresh build, re-installing everything manually just to try to fix this!

Oct 20 18:28:23 racoon: INFO: no policy found, try to generate the policy : 10.10.7.1/32[0] 0.0.0.0/0[0] proto=any dir=in

ckraimer

I have a feeling the solution will be simple.  Anyone?

ckraimer

Alright, my wife makes the best brownies in the world.  I will send you one (packaged properly so during shipment it maintains the moisture a brownie of this quality would have), if you fix this for me.  It's a helluva deal.

jimp

Make sure to add a rule to pass the traffic locally that does not have a gateway set on the rule.

ckraimer

If I don't specify the gateway in the ipsec interface firewall rule, and I move the NAT to the WAN interface it does work.  But I need to route the IPSEC inbound traffic out the VPN Gateway.

I do see messages like this, where the vpn client is clearly reaching out to google, but it's blocked on the way back in through the vpn.  I know this has something to do with NAT, just can't track it down:
pass  Oct 29 15:45:35        ipsec <ipsec client="">          74.125.28.94:443 TCP:S
block Oct 29 15:49:37 VPN2 74.125.28.94:443 <vpntunnel>        TCP:FA</vpntunnel></ipsec>

ckraimer

So if I have:
IPSEC Clients -> Pfsense -> Openvpn tunnel -> OpenVPN Server -> Internet

how should i configure nat and/or firewall?

ckraimer

I have tried lots of combinations and I believe the problem is what I suspected originally:
The mobile IPSEC clients do not take the assigned gateway in the firewall rules - it only routes out the WAN or default gateway.

ckraimer

Can someone verify this?