HTTP traffic over IPsec Tunnel

mmjohn

I know this has been asked at least a half dozen times (that I saw) but I don't seem to find any real answer for it.

We need to route our HTTP(s) traffic from our remote offices to our main office and out the gateway of the main office in order to make use of our proxy server for content filtering through our IPsec tunnels. Essentially making the main office the default gateway for each remote office as well.
If need be, we will route all traffic, but preferably just HTTP(s) if possible.

Could somebody point me in the right direction?

blak111

If you find a solution other that pointing browsers to a proxy server on the remote network, post it here. I haven't seen one yet.

GruensFroeschli

I never actually tried this but i imagine it "could" work:
Create a failoverpool as described in this post:
http://forum.pfsense.org/index.php/topic,13616.msg72823.html#msg72823
When you're modifying the gateway set it to the other side of the IPSEC tunnel.

Could you report back if this works?

mmjohn

OK, I will give it a shot. Might be a few days until I am more stationary, but when I get some results I will post them

NickC

I had a quick look at this. What isn't clear to me what to write in the config.xml to specify the IPsec gateway…

In the <lbpool>section, the "<servers>wan|w.x.y.z</servers>" needs to be rewritten. But how?

I'm hoping that this would allow me to use rule based routing to allow access to multiple subnets at the other end of an IPsec tunnel. Probably not a rare request. Am I barking up the wrong tree here?

Nick.</lbpool>

GruensFroeschli

Please learn how to use the search function.

http://forum.pfsense.org/index.php/topic,9422.msg53290.html#msg53290

NickC

OK. Just what I was looking for.

FWIW I spent quite a while searching with multiple combinations of lbpool/servers/ipsec/failover and more, none of which brought up this very useful post. So yes I guess I need to improve my keyword choices. No matter.

Thanks again.

Nick.

MerikFynd

Has anyone confirmed that this solution works?  I happen to need the exact same "HTTP traffic over IPsec Tunnel", but as often is the case the orginal poster never returns with news of success.

cconk01

I remember a post about this, which the person ended up joining commercial support. I sent him a message a few weeks later and this is the response he gave me. This is to say without the use of a mod….

"we ended up having to pay for commercial support.  Our goal was to route all internet bound traffic over the vpn.  we set the remote subnet in the IPsec VPN tunnel to  0.0.0.0/0 and it worked.  When you do this, it appears to disable NAT port forwarding to internal addresses for remote support such as vnc and pcanywhere.  Additionally, their does not appear to be a failover mechanism in the current release.  Therefore, if the VPN is down due to HQ down for any reason, the remote office will also be down unless you manually disable the IPsec tunnel while the HQ.  According to commercial support, they are going to make a feature request and this problem may be addressed in a later release.
good luck"

http://forum.pfsense.org/index.php/topic,11948.msg65364.html#msg65364

hope this helps,
Peter

Vorkbaard

Just tried this but it wouldn't work for me, just as if the tunnel was ignored. Anyelse tried this?