Policy based routing of network traffic comming in via IPsec
-
Hi All,
I am experiencing some issues with my IPsec VPN and policy based routing. Maybe you can help me?
I am running a road warrior IPsec VPN configuration on pfsense to protect my smartphone traffic when I am connected to a public hotspot. Any traffic coming in from the smartphone should be routed to a second VPN Gateway hosted on my LAN.
My goal is to route all traffic from the VPN to my second VPN Gateway. Therefore, I have created a Gateway (System > Routing > Gateways) and added a firewall rule for the IPsec interface (Firewall > Rules > IPsec) which specifies my second VPN router as Gateway.
These are the details:
Gateway definition:
Interface: LAN
Address Family: IPv4
Name: Second VPN Gateway
Gateway: <ip address="" of="" second="" vpn="" gateway="">Default GW: false
Disable GW monitoring: trueRule definition:
Action: pass
Disabled: false
Interface: IPsec
TCP/IP Version: IPv4
Protocol: any
Source: any
Destination: not LAN subnet
Log: true
Gateway: Second VPN GatewayHowever, when I want to access a system which is not on my LAN the packet is routed via the default gateway and not the gateway specified in the rule (verified using tcpdump on pfsense and my second VPN gateway). This is however contrary to the log event created by pfsense which indicates that the packet was sent to the second VPN Gateway.
@70 pass in log quick on enc0 route-to (vr0 <ip 24="" address="" of="" second="" vpn="" gateway)="" inet="" from="" any="" to="" !="" 192.168.x.0="" flags="" s="" sa="" keep="" state="" label="" "user_rule:="" ipv4"<br="">My pfsense firewall is connected to the internet (vr2) and LAN (vr0).
Thank you for your help.
BTW: I am running 2.1-RELEASE (i386) built on Wed Sep 11 18:16:44 EDT 2013
FreeBSD host.localdomain 8.3-RELEASE-p11 FreeBSD 8.3-RELEASE-p11 #0: Wed Sep 11 19:13:36 EDT 2013 root@snapshots-8_3-i386.builders.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_wrap.8.i386 i386 on an ALIX board.Cheers,
Frank</ip></ip>
-
Sorry for pushing :p