Is there a way to specify ipsec tunnel routes?
-
I am new to PFSense, and to IPSec on unix/linux in general.
I have a Palo Alto system on my side, and a PFSense syste, on the remote side.
We have set up IPSec and phase1/phase2 comes up and works.I am used to in firewall systems to be able to specify routes with tunnel targets, I will typically use a broad Phase 2 tunnel, e.g. 10.99.0.0/16 as an all encompassing, but i do not necessarily want the tunnel specification to equal routing.
On the pfsense it appears that the phase2 tunnels equals routing - is that correct?
If so, is there a way to change that, switch to explicit routing?If not possible to change - is it possible to create static routes that make exceptions to the auto-tunnel-routing?
(I know i can test this, but the system is remote and i rather have an idea before i manage to kill my connection to it).one use scenario is i need to tunnel a range of public IP's, but in the middle of that range is the actual IP which is the peer for this tunnel, so obviously i cant tunnel that traffic.
-
@tstok
I think, you're looking for Routed IPsec (VTI). -
@viragomann ah yes thank you - that does look by description like it is what i want - thank you!
As a first look i wasnt able to configure it properly on the tunnel with a subnet, but i will spend some digging and rtfm before i ask more about it
-
so it turns out this could solve the issue - but it is annoying that now it needs a pair of IP's for routing for each tunnel... that seems like a waste
Would be so much better if i could have tunnels defined like in ipv4 mode, the add routes with destination network and target "send to ike interface"
i guess i just have to create 60 or so standard ipv4 tunnels instead to cover all the bits and pieces of the subnets to hit and not hit.
-
@tstok
I'm possibly not following what you're trying to do, but the tunnel IPs are just arbitrary point to point numbers. You can then route through the point to point vti interface. I can't see any reason why you'd have to create 60 tunnels.