Can I route internet traffic from site B through site A via Ipsec VTI?
-
@ngoehring123
I would consider an option of the usual IPSEC tunnel, through it too it is possible to pass a traffic outside.
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/routing-internet-traffic-through-a-site-to-site-ipsec-vpn.html
-
I had thought of doing that as well but really like the routed option more due to its flexibility and power. Perhaps @jimp has some tips for me.
-
The really weird thing now is that my phone says I have no internet connection yet here I am writing to you and browsing the internet. Something is ascew...
-
@ngoehring123
That's possible. I myself use the GRE over IPSEC option and do not want to switch to VTI yet.
Will wait to hear other forum members -
@ngoehring123
In this forum, I read that some remove the VTI interface, re-create the tunnel , and the problems are solved -
I'll give that a go. After everything else, it won't hurt!
-
Hi,
I have the exactly same problem, did you get find any solution? -
I did not. Last thing I tried was to remove the interface, delete the static routes, and the remove the p1 and p2 and do it all over again. No luck. So I went back to openvpn. I was super excited to use the ipsec route instead due to the better throughput and all.
-
Openvpn is cool , but unfortunately Iran's government filter it here, so we must find another solution.
-
Yeah I'm in a part of the world where I want the anonymity as well. Have you tried openvpn on port 443? Or does Iran filter on something more specific?
-
@ngoehring123 Tried that either
-
Trying to get this working between China and USA.
I've got a stable VTI network, and traffic passes successfully between the machines on both LAN ends.I create a LAN rule on the China router to use the gateway on the USA router, and it looks like some traffic is tunneled through, but not everything.
Webpages from a laptop can load some elements, but not all; and webpages from a phone don't work much at all.
I had this working on the old IPSEC with the 0.0.0.0/0 phase 2, but I really want to change over to routed IPSEC to address some other issues.
-
https://forum.netgate.com/post/862316
-
Ok, all that blocked traffic you're seeing is TCP flagged traffic that is out of state. It's either blocked because the states have already closed, probably the case on that :PA traffic, ot because the states were never opened, usually due to rouet asymmetry.
https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-for-legitimate-connection-packets.html
You should be trying to find out why that is happening not just trying to pass the traffic anyway. Remove any floating rules you added there. You should not be seeing asymmetric traffic if this is setup correctly.
I assume pings work fine from the policy routed clients?
If you run a packet capture do you see both requests and replies at all points in the path?
Steve
