IPSec route priority

  • Hello,
    I've a static route for Then I've configured an IPSec tunnel for

    The traffic for is not routed via the IPSec tunnel but with the gateway of the static route. I've found that if I disable the static route my VPN works fine.

    As a workaround I've created a static route for using as gateway. By doing this the traffic for  id directed to the IPSec tunne.

    Since I had to create some IPSec tunnels, is there a way in order to give a priority to IPSec tunnel in routing table?

    I was looking for something like metrics but I've not found anything similar.

    I'm using pfSense 2.3.2

    Thanks for your help

  • Hi Fabio,

    Did you ever find a solution regarding the metric / priority to route your traffic?


  • @mannyjacobs73:

    Did you ever find a solution regarding the metric / priority to route your traffic?

    No, I'm still using the workaround

  • Ok, thanks.

    Seems the only way to prioritize routes 'normally' is to use a routing protocol / process as it's possible with static routes in *BSD.

    I'm not sure if this would sort your particular issue out anyway though..

    Just a thought… by routing via the loopback, don't you risk bypassing the firewall rules inadvertently?  ---> I may be completely wrong with this...

  • Hello,

    I have the very same problem as stated in the first post from "fabio.grasso" .
    From my understanding the IPSEC traffic should be intercepted before any routing is applied.
    And like this it is working in 5 of my 6 pfSense boxes, but not on one.
    All pfSenses are on 2.3.2 release and all routing and all IPSEC-tunnels are of the same kind (different ip-ranges of course).
    just box#6 makes this problem, resulting in a asymmetric routing, because it tunnel partner has not the problem.
    I disable the route and traffic through the tunnel works, by adding it again the ipsec-routing is broken again….

    I have no idea why it happens just on 1 box and it makes me abit nervous to see such an inconsistent behaviour.

    Thanks a lot for sharing a solution (Remote-IPSEC-Lan routing via "Null4 -")
    But should I apply this patch now alo to the working ones???

    Kind regards