I try change mode from tunnel IPv4 to Route (VTI) but after change IPsec not connect.

For anyone who is interested (n00b here), i got it to work (branch to pfsense only):

Phase 1 remote subnet on pfsense has to be 0.0.0.0 with responder only option checked.

on Huawei Side, the following command had to be configured:

ipsec authentication sha2 compatible enable

the result is:

22accdc1-de10-456f-beb1-06c813df2382-image.png

The problem now is that pfsense does not direct traffic with destination to remote subnet (i.e. 10.2.20.0) through IPSec, it uses WAN0 for that. any ideas?

[update] working now, was pinging from the wrong device.

P.S. I take it back - you may need firewall rules for IPSec to allow BGP traffic. You can create them from the firewall logs if you see blocked BGP traffic on IPSec.

you can have multiple tunnel configured, i don't see why not

Thanks Pablo. Good to have in case we ever move to an HA setup with Google VPN. For anyone else that reads this, my posts were for the Classic Google VPN setup (non HA).

One note I wanted to add, in the BGP settings in my instructions above, don't change the setting for "Redistribute connected networks" to Yes. When set to Yes this advertised our WAN network to Google and caused issues with hitting public facing servers we had in Google. Since we only have a few networks locally, I just manually defined those along with the BGP network 169.254.10.0/30 in the fields below that setting.

The other option may be to change the setting to Yes and somehow mark it to ignore the WAN network, but I haven't looked into that.

@ngoehring123 said in NAT over routed VTI:

@under_tow I reported this back in March. https://forum.netgate.com/topic/141613/can-i-route-internet-traffic-from-site-b-through-site-a-via-ipsec-vti

Unfortunately no resolution that I'm aware of.

Thanks, similar issues, GRE over IPSEC could work, but too many changes in our application for that for now.

Yes, you can use a CARP address as the IPSec endpoint. There is an option to sync IPSec configuration in the XMLRPC Sync options on the HA Sync page.

Well, I have just got it working. The solution may be very specific to my scenario.

First, I need to go through and test all the individual changes I made to ensure each one was needed, remove the cruft that was not needed and I will post the final solution here there after.

What I had to do in this scenario was go Pfsense A, go to advance settings of IPsec, From there:

Auto-exclude LAN address Enable bypass for LAN interface IP Exclude traffic from LAN subnet to LAN IP address from IPsec.

This box was checked by default.

I cleared it and traffic is now working both ways.

I suspect what mattered here was the fact that Pfsense A didn't have a LAN subnet, and OpenVPN client subnet may have been seen as a LAN by this rule. I am sure one of the Pfsense developers could provide an explanation.

Now I just need to check all the routes, rules, Phase 2 parts to ensure they are needed.

I managed to ... sort of solve it.

Netgate support told me to try and put each tunnel on a different internal IP alias.
After doing that (and creating the relative NAT and firewall rules on the border box) the second tunnel got up.

I still have no idea why this is the case exactly, but I'll take the working tunnel over understanding pfsense's IPSec and/or NAT mechanics for now.

After contact with microsoft helpdesk I found the solution for me.
For future reference: I had to turn on mss clamping and set it to 1350. This is also in the advanced IPSec settings

Maybe this settings was defaulted after an update? I wasn't the one who configured it in the first place, so I wouldn't know for sure.

I made sure to match my settings to this document https://docs.microsoft.com/nl-nl/azure/vpn-gateway/vpn-gateway-about-vpn-devices

@stephenw10 Thanks for the reply, I had this disabled already, but the pointer was appreciated

@hekl

Vergiß die Fritte. Stell dir ein OpenVPN Gateway als Client ins Netz und das Site2Site Szenarium steht.
VPN mit einer Fritte sollte man sich nun wirklich nicht mehr antun!

LG

@vistatech said in routing specific packets through IPSEC gre tunnel:

10.1.1.20

Hey
And why is outgoing NAT used ?
Try disabling it . I have a similar scheme and everything works fine without NAT.
The question such, Pfsense can ping a host 10.1.1.20 ?

Solution can be found here:
IIPsec to Mikrotik

Hi, your machines uses s.o windows ? in that case turn off the firewall each and check pin to the other machine