IPSec route priority



  • Hello,
    I've a static route for 10.0.0.0/8. Then I've configured an IPSec tunnel for 10.177.101.64/26.

    The traffic for 10.177.101.64/26 is not routed via the IPSec tunnel but with the gateway of the static route. I've found that if I disable the static route my VPN works fine.

    As a workaround I've created a static route for 10.177.101.64/26 using 127.0.0.1 as gateway. By doing this the traffic for 10.177.101.64/26  id directed to the IPSec tunne.

    Since I had to create some IPSec tunnels, is there a way in order to give a priority to IPSec tunnel in routing table?

    I was looking for something like metrics but I've not found anything similar.

    I'm using pfSense 2.3.2

    Thanks for your help
    Fabio



  • Hi Fabio,

    Did you ever find a solution regarding the metric / priority to route your traffic?

    Thanks,



  • @mannyjacobs73:

    Did you ever find a solution regarding the metric / priority to route your traffic?

    No, I'm still using the workaround



  • Ok, thanks.

    Seems the only way to prioritize routes 'normally' is to use a routing protocol / process as it's possible with static routes in *BSD.

    I'm not sure if this would sort your particular issue out anyway though..

    Just a thought… by routing via the loopback, don't you risk bypassing the firewall rules inadvertently?  ---> I may be completely wrong with this...



  • Hello,

    I have the very same problem as stated in the first post from "fabio.grasso" .
    From my understanding the IPSEC traffic should be intercepted before any routing is applied.
    And like this it is working in 5 of my 6 pfSense boxes, but not on one.
    All pfSenses are on 2.3.2 release and all routing and all IPSEC-tunnels are of the same kind (different ip-ranges of course).
    just box#6 makes this problem, resulting in a asymmetric routing, because it tunnel partner has not the problem.
    I disable the 10.0.0.0/8 route and traffic through the tunnel works, by adding it again the ipsec-routing is broken again….

    I have no idea why it happens just on 1 box and it makes me abit nervous to see such an inconsistent behaviour.

    Thanks a lot for sharing a solution (Remote-IPSEC-Lan routing via "Null4 - 127.0.0.1")
    But should I apply this patch now alo to the working ones???

    Kind regards

    Maddin