0.0.0.0/0 tunnel breaks load balancer



  • Ladies and gents,

    I am using an IPSec tunnel to forward web traffic to a remote server on one of my local VLAN's. That isnt my issue, cause it works flawlessly. However, i also have a dual wan setup, and load balance between them. It seems that none of my LAN rules are responding to the gateway's i set regardless of what i do. I've boiled it down to the Local/Remote 0.0.0.0/0 net set in the IPSec tunnel to foward the traffic on the. I can choose between either WAN for the IPSec tunnel and it will use it. Also, if i specifically change the default gateway, my local traffic will then re route to that said gateway.

    Is there a specific static route or something i can do to re-gain functionality of both of my WAN's?

    IPSec settings:

    Near side
    Local subnet - VLANx NET
    Remote subnet - 0.0.0.0/0

    Far side
    Local subnet - 0.0.0.0/0
    Remote subnet - (my VLANx net)
    *NAT RULE for VLANx net to translate to the wan interface

    anyhow, im pretty sure any type of 0.0.0.0/0 route is going to throw things bonkers as far as load balancing and failover goes. my question is, what can i do to achieve both of these things at the same time.


  • Rebel Alliance Developer Netgate

    IPsec does not route. It does not respect the routing table, the kernel grabs any traffic matching the Phase 2 definitions and pushes it into IPsec.

    There is no way to route around or bypass that behavior when you are using 0.0.0.0/0 as a remote network in IPsec, since that means "put everything into IPsec no matter what".

    It's just doing what it's been told to do.

    So somehow you'd have to either move the IPsec off to another box on a different interface, so this box can make proper routing decisions, or you'll have to change the P2s so they don't match so broadly, at least on the local side.

    Or use OpenVPN instead of IPsec where all of this works without much extra effort.



  • Yeah, OpenVPN did the trick for me.

    Thanks for the reply.


Log in to reply