IPSec route priority
-
Hello,
I've a static route for 10.0.0.0/8. Then I've configured an IPSec tunnel for 10.177.101.64/26.The traffic for 10.177.101.64/26 is not routed via the IPSec tunnel but with the gateway of the static route. I've found that if I disable the static route my VPN works fine.
As a workaround I've created a static route for 10.177.101.64/26 using 127.0.0.1 as gateway. By doing this the traffic for 10.177.101.64/26 id directed to the IPSec tunne.
Since I had to create some IPSec tunnels, is there a way in order to give a priority to IPSec tunnel in routing table?
I was looking for something like metrics but I've not found anything similar.
I'm using pfSense 2.3.2
Thanks for your help
Fabio -
Hi Fabio,
Did you ever find a solution regarding the metric / priority to route your traffic?
Thanks,
-
Did you ever find a solution regarding the metric / priority to route your traffic?
No, I'm still using the workaround
-
Ok, thanks.
Seems the only way to prioritize routes 'normally' is to use a routing protocol / process as it's possible with static routes in *BSD.
I'm not sure if this would sort your particular issue out anyway though..
Just a thought… by routing via the loopback, don't you risk bypassing the firewall rules inadvertently? ---> I may be completely wrong with this...
-
Hello,
I have the very same problem as stated in the first post from "fabio.grasso" .
From my understanding the IPSEC traffic should be intercepted before any routing is applied.
And like this it is working in 5 of my 6 pfSense boxes, but not on one.
All pfSenses are on 2.3.2 release and all routing and all IPSEC-tunnels are of the same kind (different ip-ranges of course).
just box#6 makes this problem, resulting in a asymmetric routing, because it tunnel partner has not the problem.
I disable the 10.0.0.0/8 route and traffic through the tunnel works, by adding it again the ipsec-routing is broken again….I have no idea why it happens just on 1 box and it makes me abit nervous to see such an inconsistent behaviour.
Thanks a lot for sharing a solution (Remote-IPSEC-Lan routing via "Null4 - 127.0.0.1")
But should I apply this patch now alo to the working ones???Kind regards
Maddin