Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routed (VTI) ipsec and gateway groups

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 822 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      ASunc
      last edited by

      Hi,

      I created a routed ipsec tunnel (ie. VTI) between pfsense and another firewall. Works great. However, I want this to be only a backup link, normally traffic is routed through another gateway.

      So I created a gateway group, which contains the "normal" gateway as tier 1 and ipsec vti gateway as tier 2. Again, works great, after adding a rule that has that gateway group configured for that traffic.

      However, looking at generated firewall rules when system is routing through ipsec reveals something odd:

      pass in quick on em1 route-to { (ipsec1000 10.254.0.1), (ipsec1000 10.254.0.1), (ipsec1000 10.254.0.1), (ipsec1000 10.254.0.1), (ipsec1000 10.254.0.1), (ipsec1000 10.254.0.1), (ipsec1000 10.254.0.1), (ipsec1000 10.254.0.1), (ipsec1000 10.254.0.1), (ipsec1000 10.254.0.1) } round-robin inet from any to 192.168.2.20 flags S/SA keep state label "USER_RULE"

      For some reason the "ipsec1000 10.254.0.1" repeats many times in rule. When running through tier1 gateway things look normal:

      pass in quick on em1 route-to (em0 5.135.194.65) inet from any to 192.168.2.20 flags S/SA keep state label "USER_RULE"

      Maybe this is just a cosmetic problem ?

      1 Reply Last reply Reply Quote 0
      • jimpJ Offline
        jimp Rebel Alliance Developer Netgate
        last edited by

        Did you set the weight on the IPsec gateway to 10? That's normal, if so.

        The "weights" don't express a preference but rather a usage ratio. The ratio is accomplished by repeating the gateway multiple times.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • A Offline
          ASunc
          last edited by

          Indeed, I have set weight to 10. Tried it before and forgot about having set it.

          1 Reply Last reply Reply Quote 0
          • A Offline
            ASunc
            last edited by

            Outgoing LAN traffic runs fine with this, ie. traffic goes another router if it is up and backup IPsec VTI tunnel if router is down.

            But what about incoming traffic ? Pfsense adds reply-to on rules related to interface of another router so return packets are routed always there. But what about IPsec VTI tunnel ? Adding a pass rule on IPSEC interface genererates a rule on enc0 without reply-to. Is this because rules cannot be added on "ipsec1000" interface that is related to tunnel ?

            I'm thinking about having a static route to IPSEC tunnel so everything goes there by default. Router interface return traffic relies on reply-to that is present on rules. That should work, shoudn't it ?

            1 Reply Last reply Reply Quote 0
            • jimpJ Offline
              jimp Rebel Alliance Developer Netgate
              last edited by

              IPsec interfaces don't support reply-to yet, so it's not possible to send traffic back down a different tunnel than the one it entered.

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.