IKEv2 tunnel kills inbound NAT



  • Background:

    Running pfSense 2.3.1_5 on an HP T5740 thin client.  Has expansion, so three gigabit network ports.

    Have two OpenVPN clients setup for routing most of my internal internet traffic.  One OpenVPN client is also configured for inbound NAT.  It also is listening for an inbound IKEv2 VPN connection.

    So to recap – pfsense is both a dual OpenVPN client and an IKEv2 server.  The IKEv2 server listens on one of the OpenVPN  connections.

    Issue:

    I can connect to the IKEv2 server from outside my network and do what I need to do within the context of the IKEv2 VPN.  However, once I disconnect from the IKEv2 server on the pfsense, within a few minutes ALL of my inbound NAT port forwards stop working.  The only way that I have been able to figure out how to re-enable port forwards is to reboot the device.

    (If I don't use the IKEv2 VPN, or disable it, the NAT port forwards work perfectly fine without reboots.)

    Thoughts on how to 'fix' the issue without creating a chron job to reboot daily to re-enable the port forwards?

    Thanks.


  • Rebel Alliance Developer Netgate

    Not sure I quite follow how you've got that setup. "IKEv2 server listens on one of the OpenVPN connections" as in you have to connect to IKEv2 through OpenVPN?

    Are the port forwards also on OpenVPN?

    What is your IPsec mobile client network? OpenVPN tunnel network? Any overlaps there?

    It sounds almost like when you disconnect that the firewall's routing table is losing its default gateway or something along those lines.

    Visit /status.php on the firewall and download the file when it works, and then again when it breaks, and compare the various files looking for what changed.


Log in to reply