[IPSec] Unable to force all internet traffic over IKEv1 L2L



  • Hello people,

    I am quite new to PFSense, but not to networking, so I find the following behavior a bit bizarre. Here is what I have:

    Site A - main office
    Site B - branch office

    At the moment Site B uses its own Internet provided for regular traffic and I have IPsec ikev1 tunnel between site A and site B for traffic between the local lans. On SiteB I have two providers - one (let's name it WAN) is the default GW and all traffic usually passes there. The secondary (let's name it BACKUP) is used only to build the tunnel up. Both ends are running PFSense 2.4.2-RELEASE-p1.

    Due to some recentevents, I want to route all traffic from Site B through the Site A PFSense. Easy, peasy - I edited the phase 2 rules:

    on Site A i have 0/0 to SiteB LAN
    on Site B i have SiteB LAN to 0/0

    I see the SA build up properly and showing up fine, traffic between the local lans works fine as well.

    I added an outbound rule on SiteA NAT tables to permit internet access for SiteB LAN - however siteB does not have internet.

    Digging into this, I saw the following - running a ping from a machine on siteB to 8.8.8.8 - that ping is taking the default GW and I do not see it in the packet capture on the IPSec interface (on neither sites). On the WAN Interface of SiteB, I see the icmp requests, I also see the icmp replies, but the replies never make it to the source host. Similar is with all traffic generated from the host. I made sure to clear the States, but the connection is then reestablished in the same way.

    Going further into this, I added a static /32 route for 8.8.8.8 to go through the BACKUP interface, cleared the States again, but the pings would still use the default route over the WAN interface despite the host-based route.

    Long story short - I don't see non-LAN traffic from SiteB hitting the tunnel, despite the SA being up and I see that traffic going out the default GW despite the routes that I have. I also see returning traffic, but that never makes it to the host (it's not seen leaving the LAN interface as well).

    The only thing that comes to mind that I haven't tried is to reboot the devices.

    I've been working with Cisco ASAs for a while and there they have the packet-tracer feature, showing how the device would process a packet - is there a similar feature available for PFSense?

    Also any additional thoughts on the above problem would be greatly helpful and much appreciated.

    Thank you in advance and sorry for the long post.

    Cheers,
    Nick


  • Netgate

    Policy routing (setting a gateway on a LAN rule) will override IPsec traffic selectors.



  • @derelict said in [IPSec] Unable to force all internet traffic over IKEv1 L2L:

    Policy routing (setting a gateway on a LAN rule) will override IPsec traffic selectors.

    Thanks for that. I was wondering about that particular rule, but decided to leave it as is - the "benefit" of inherited environments. I will test removing it a bit later today, when people are out of the office.

    This does explain why the traffic doesn't hit the IPSec tunnel, but why would I not see the return traffic going back to the host though, i.e:

    on LAN interface i see just icmp requests

    on WAN interface I see both icmp requests and the replies to the same request.

    (all ICMP traffic is permitted in the rules)

    Cheers,
    Nick


  • Netgate

    Impossible to say with the information at-hand.

    You'll need to give a better picture of what is going on and what configuration you have done.

    You can test bypassing policy routing by placing a rule above the policy routing rule that only matches the source address of your test host and does not have a gateway set. This won't impact any other source hosts.

    And no. We don't have packet-trace, unfortunately.

    I will also add that 0.0.0.0/0 traffic selectors on IPsec site-to-site tunnels are really hard to get right. They inevitably gobble up traffic you didn't expect to be interesting. OpenVPN is a lot more forgiving in that regard. The VTI IPsec in 2.4.4 (dev branch) should also work pretty well. I don't know of anyone who has tried that with it yet.



  • @derelict said in [IPSec] Unable to force all internet traffic over IKEv1 L2L:

    You can test bypassing policy routing by placing a rule above the policy routing rule that only matches the source address of your test host and does not have a gateway set. This won't impact any other source hosts.

    Initially I wanted to test this out by adding a second phase2 SA for a single host going out to 0/0, however that SA never got up (and yes, it was added on both ends :) ). No matter what I tried, I never saw a second SA. This is another interesting observation.

    I can add the firewall rule for a single host, but will have to also edit the phase2 statement that we currently have.

    As for the changes - I haven't done any other apart from changing the phase2 of the tunnel from "Local LAN to Remote LAN" to "Local LAN to 0/0" (I have tested some stuff of course, but rerolled all of those). Returning the phase2 configuration gets the internet going straight off the bat, which is weird to me.

    I also read that people would consider going the OpenVPN path for similar needs, but this whole tunnel will soon to be moved to another termination device, so we decided to go with the already existing configuration and face the consequences :)

    Thank you very much for the continuous assistance, I greatly appreciate it.

    Cheers,
    Nick



  • Hello,

    It was indeed this Firewall Rule.

    Once I removed the Gateway part, traffic started hitting the IPSec tunnel.

    Cheers for the help.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy