Fail-over gateway group + IPsec road warriors = VPN routing broken
entirenet last edited by
on a working pfsense 2.3 i managed to get fail-over with two WAN interfaces running. switching back and forth between the WAN connections worked like a charm thanks to the good documentations i found.
But after fail-over was implemented and changing all existing routing policies from default gateway to the fail-over gateway group, the routing for IPsec mobile clients stopped working. The only thing that is reachable from a mobile client is the pfsense itself.
I had a look at the connection states and saw that the IPsec mobile clients packets enteres the pfsense via the currently active tier 1 WAN connection and have been sent to the LAN interface and destination IP address. But the packets not arrived on the LAN interface. I made a capture on the LAN interface and not a single packet from the IPsec connection arrived.
From a client inside the LAN segment i was able to successfully ping the IPsec mobile clients IP. So at least routing from the LAN to the mobile client works, but not the other direction. So i wonder how to debug this issue. What could have broken the IPsec routing? The only thing i changes IPsec related was on the IPsec interface the routing policy gateway to that fail-over group, but even switching only that gateway back to default did not fix the routing issues.
I had to switch back to default gateway for the routing policies. Because of several entires i did so by loading the original config from a backup.
Any help or hint is much appreciated.