VTI Ipsec Dynamic Rules (solved)
-
Hello there,
We are facing an issue regarding dynamic rules on the PF.
Site A :
- LAN : 192.168.100.0/24
- VTI : 172.16.0.5/30
Site B :
- 192.168.42.0/24
- VTI : 172.16.0.6/20
Tunnel is UP and active
Site A : On the LAN interface, I added a rule :
- SRC : LAN Net
- DST : 192.162.42.0/24 -> GW : the one auto created by the VTI interfaces
Site B : On the LAN interface, I added a rule :
- SRC : LAN Net
- DST : 192.162.100.0/24 -> GW : the one auto created by the VTI interfaces
When I ping a host on site B from site A :
- I see the packet on Site A LAN
- I see the packet on Site A IPSEC Interface
- I see the packet on site B IPSEC Interface
- I see the packet on site B LAN
- I see the answer on site B LAN
=> packet then disappear
IPSec interface has an allow all policy.
The issue is not present when I add a static route on both site.
To my understanding, It should also work with the policy rules.Any idea ? Am I missing something ?
Regards,
-
you must create static routes on both sides of the tunnel (In your case, you don't need PBR . It is enough to create static routes)
https://pfsense-docs.readthedocs.io/en/latest/vpn/ipsec/ipsec-routed.html
https://www.youtube.com/watch?v=AKMZ9rNQx7Y&t=1098s (21:55)
-
If I'm reading right, Policy Based Routing should work ?
-
@martintamare
Either NAT outbound or static routesVTI do not have the reply-to function
-
Ok thanks for clarification.
-
@martintamare
Your solution- NAT OUTBOUND + PBR
- STATIC ROUTES + PBR
- STATIC ROUTES
- STATIC ROUTES + NAT OUTBOUND
-
I chose Static Routes + PBR (both are needed if the whole lan need to be connected)
And now I'm moving to Dynamic Routing to create a hub & spoke configuration. -
So for people who are facing the same issues.
You need both a route on the pfsense (you must be able to see it with netstat -rn)
And then, according to your firewall policy rules :- if you use the default gateway (*) in your rules : OK
- if you use a specific gateway or a gateway group : assign a new rule throught the ipsec gateway
I think the documentation should mentionned it. I'm not a native english speaker and after reading the doc, I thought, either static routes OR policy rules should work. But it's not an OR, it's an AND :)
Regards