Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PF 2.0.3 routing over IPSEC tunnel

    IPsec
    1
    4
    1.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dmad
      last edited by

      Hey guys… I have a successfully established tunnel from a PFsense VM  to a remote service that has several live/routeable IP addresses for their service.

      At my end I have a server behind the pfsense vm that uses pfsense as a gateway in your everyday traditional firewall/nat situation. There is one other tunnel to another site with a sonicwall , natting as well which works properly.

      My pfsense Phase1 goes to remote routable IP 123.123.123.123 (fake of course), and PH2 shows:
      Mode Tunnel, local subnet 130.0.0.1(fake again, but WAN IP of MY pfsense), Remote subnet 123.123.100.0/24

      When I try to tracert 123.123.100.254 from a windows box the route goes to the pfsense, then out to my external WAN gateway then out over the internet as if it were going to anywhere else.

      I used the command:
      tcpdump -i em0 -n esp
      to sniff esp packets on my pfsense, and I only see traffic going back and forth from the site to site vpn, nothing going out over the 'service' tunnel.

      This really seems like a routing issue and strangely enough it apparently worked previous to this although I didn't witness it. (this is a new implementation at this location). As I understand it, the pfsense is supposed to have 'hidden' routes for it's IPsec tunnel's remote networks, which is the case for the site to site, but not for the 'service'.

      PS, the sonicwall tunnel for this service that DOES work uses the same config; local network is X1 IP aka WAN External IP.. The only other 'funny' option is 'Apply Nat Policies' is enabled and 'translacted local network' is set to X1, Translated Remote network is set to Original. (see doc: http://help.sonicwall.com/index.html?sess=8qpofrd34dlsa35saeap7185l1#/help/sw/eng/5800/25/8/1/content/VPN_Settings/PANEL_vpnConfig.htm)

      Any ideas?

      1 Reply Last reply Reply Quote 0
      • D
        dmad
        last edited by

        here's my tunnel

        brokevpn.jpg
        brokevpn.jpg_thumb

        1 Reply Last reply Reply Quote 0
        • D
          dmad
          last edited by

          Alright it appears as if this option is available on the ph2 in 2.1 so i'm updating to rc1 and testing it….....

          1 Reply Last reply Reply Quote 0
          • D
            dmad
            last edited by

            Whoooooo

            worked. OK so for posterity's (and googles) sake, the solution was evident in PFsense 2.1 (RC0+), in the PH2 properties of the IPsec tunnel under local network you can provide the LAN subnet, and the 'nat/binat' address being the external WANip.

            My only conclusion is that since the ipsec routes are kernel routes they don't get applied with outbound nat rules (which is what I was trying).

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.