Routed IPSEC - routing internet activity from one site to another



  • I'm currently using an openvpn server and client connection (not openvpn site to site) to connect two locations to each other. Have just upgraded to 2.4.4 and really like the power of the new routed IPSEC option. What I cannot figure out is how I would take advantage of this feature to replace the openvpn setup I'm currently using. IPSEC affords me greater speed and better performance so I'd really like to use it versus openvpn (though I'll keep openvpn as a fallback). I haven't been able to find any articles on how to accomplish what I'm trying to do. Does anyone here have experience and/or know how I can make this work?

    Thanks in advance!


  • Rebel Alliance Developer Netgate

    How are you doing it now with OpenVPN? It's likely very similar.

    The assigned IPsec interface gets you a gateway. You can use that gateway to policy route things. Match the local traffic with a rule (e.g. on LAN) that uses the IPsec gateway, then the user traffic will leave that interface. You'll either need outbound NAT to mask the source of traffic as the IPsec interface address or you can do NAT on the far side so long as it has a route back to the client subnet back over IPsec.



  • @jimp thanks for the response. So the openvpn connection is essentially just what you noted. I have the openvpn interface and gateway created. Rules on the openvpn tab that specify what source and destination subnet combinations to route, and NAT on the opposite end that allow me traffic out to the world. I then set the gateway for the LAN or a VLAN network to use the openvpn gateway. All works great.

    From what you are saying then, I should just employ the exact same setup? Same or similar rules on the IPSEC tab, select the IPSEC gateway for my local LAN, and NAT for the IPSEC subnet on the opposite end so that the traffic can reach the world?

    Apologize in advance is some of this is trivial. I am 100% self taught. While I'm mentally able to visualize a lot of this, I hit a wall from time to time.


  • Rebel Alliance Developer Netgate

    You wouldn't set rules on the OpenVPN (or IPsec) tab for traffic leaving your local network going to the far side. Those are probably unnecessary. Just outbound NAT and gateway on the LAN should do it.



  • OK, I'll give that a try and see if something complains. Thanks for the sanity check.



  • @jimp sorry to reappear but I've had no success tonight. I straight up cannot get the routed ipsec to actually route. Here's what I've got :

    1.successful p1 and p2 connection between both locations. Ipsec status shows connected with IPs I've chosen for this connection. They do not overlap with local or remote subnet ip ranges.
    2.created the interface

    1. Have a "from any to any" ipsec rule with the vti interface gateway selected as the gateway.
      4.have outbound NAT for the local lan subnet with vti interface as outbound interface. - - I'm not supposed to use the p2 ip subnet right?
      5.for testing purposes I set a lan rule for my laptop to use vti interface gateway.
    2. Enable the rule and my connection dies. Cannot browse internet. Cannot get to remote subnets. Can only intact with local devices and gui.

    I use the ping tool to ping the opposite side using the vti interface as the origin and all packets are lost. Send to me like I've just plain got no route. At this point I've replicated everything I do for openvpn minus the CA and certs.

    Is there anything in the outline I've provided that doesn't look right? I'm beyond confused at this point.


  • Rebel Alliance Developer Netgate

    #3 is wrong. You don't put a gateway on the IPsec tab rules. Make sure that isn't set on either side.



  • @jimp continue to battle with this thing. One question I have comes from the online documentation where it says:

    Though a tab appears for the assigned interface, traffic must be passed on the IPsec tab.

    I only have the ipsec tab on both my boxes. No interface. This is unlike openvpn where I have the OpenVPN tab and one for my Expressvpn interface. Is this right? Online documentation suggests configuration to the interface tab but without it that's not possible.


  • Rebel Alliance Developer Netgate

    @ngoehring123 said in Routed IPSEC - routing internet activity from one site to another:

    @jimp continue to battle with this thing. One question I have comes from the online documentation where it says:

    Though a tab appears for the assigned interface, traffic must be passed on the IPsec tab.

    I only have the ipsec tab on both my boxes. No interface. This is unlike openvpn where I have the OpenVPN tab and one for my Expressvpn interface. Is this right? Online documentation suggests configuration to the interface tab but without it that's not possible.

    The rules on the assigned IPsec interface tab had no effect, so we hid the tab to be less confusing. The doc you read was probably before that change was made.



  • @jimp phew, I was banging my head trying to figure out what box I hadn't checked. So based on your expertise, if I purely just wanted to be able to connect to the remote network and devices, not push any non internal network traffic across it (i.e. internet), I would create the connection using a subnet not part of the existing network, create the interface, set the ipsec tab firewall rule (all/all), then apply the gateway to an ip or subnet on my lan or vlan interfaces and that should have me routing? I don't need to do anything like the tunneled ipsec connection p2s, in which I define the routes? This has worked so easily for openvpn and the traditional tunnel ipsec setup I've done. I just can't see what's not right given how very similar it is to openvpn connection.



  • @jimp I'm happy to post screenshots if that helps. Didn't want to overstep any bounds. Am extremely thankful for your thoughts and don't want to appear to be trying to take advantage of you.


  • Rebel Alliance Developer Netgate

    I don't have a setup for it right now but during my initial testing one of the things I tried was routing Internet traffic across VTI and it worked. If I recall correctly what I did was:

    • Setup a basic VTI connection between two systems (P1 between the peers, P2 set to VTI with an unused subnet)
    • Assign the interface
    • Set a rule on LAN matching client traffic to use the VTI gateway

    The parts I can't remember if I did in this case are:

    • Outbound NAT -- might be done on the client firewall side, or might be done on the firewall where the Internet traffic exits
    • Static routes on each side so the LANs can reach each other -- this way each router knows how to get back to the other LAN

    If you do the outbound NAT on the remote side where the Internet traffic will exit, then that end definitely needs a static route to get back to the client side LAN.



  • @jimp watching your hangout right now. I'm up to the part where you made a static route and I think this is what I'm missing. Will know one I finish watching and give it a go on my own setup. Once I can get the two networks talking, then I'll try passing the internet traffic. I'll let you know how it goes. Many thanks for your assistance and the hangout!



  • @jimp I've finished the hangout and finally routing working. I feel like an idiot for not finding the hangout first. One final question, can I do static routes for multiple subnets on the remote end via the same vti or do I need a separate one for each subnet?


  • Rebel Alliance Developer Netgate

    It's all routed, you can setup as many static routes as you want or even using a routing protocol like OSPF or BGP. No need to specify the networks to carry in IPsec at all.