Access remote subnet through IPSEC VTI ?



  • Hi,

    With my recent upgrade to pfsense 2.4.4, i move my tunnel IPSEC from Policies Based to Routed VTI.

    One of my PFSENSE has multiple LAN and Single WAN.
    The other one has only one LAN but multiple WAN.

    PFSENSE1
    LAN : 192.168.110.X/24
    IPSEC_VTI : 192.168.34.1/30
    Static Route:
    192.168.33.0/24 to 192.168.34.2
    10.0.0.0/8 to 192.168.34.2

    PFSENSE2
    LAN: 192.168.33.X/24
    OPT1 : 192.168.32.X/24
    IPSEC_VTI: 192.168.34.2/30
    Static Route :
    192.168.110.0/24 to 192.168.34.1
    10.0.0.0/8 to GW of OPT1 (192.168.32.Y)

    I don't use policies on Firewall \ Rules to force gateway.
    ;
    On Ipsec interfaces, all traffic are "pass"

    Results :

    From LAN PFSENSE1 i can ping LAN from PFSENSE2 (and inverse)
    From PFSENSE1 i can ping 10.0.0.X IP (only if add an outbound nat on pfsense2)
    From LAN PFSENSE1 i can't ping 10.0.0.X IP.

    What i miss ?

    Thanks

    Yathus





  • @grimson said in Access remote subnet through IPSEC VTI ?:

    https://www.youtube.com/watch?v=AKMZ9rNQx7Y

    Thanks for this video, very interesting.

    But that doesn't help me.

    As i wrote, standard configuration is working (Static Route) :

    LAN1 <-> PFSENSE1 <-> PFSENSE2 <-> LAN1 => OK
    PFSENSE1 -> PFSENSE2 -> OPT1 => OK
    PFSENSE2 -> PFSENSE1 -> LAN1 => OK
    LAN1 -> PFSENSE1 -> PFSENSE2 -> OPT1 => KO

    I test with ping (without interface)

    i'll reboot everything tonight, we will see.



  • An interesting issue! Let me know if you got it working or otherwise try to use "traceroute" tool to see how far the packet goes and post back the results here so that we help you.



  • May be it's a problem with my old Outbound NAT Config ?

    When you use LAN / WAN / OPT1 and just static routes for OPT1, is outbound NAT required or not ? I'm lost now, i always use Static Routes AND Outbound NAT for each Static Route (Interface OPT1, Source LAN Subnet, Desination Remote Network) in Manual Outbound NAT rule generation. (AON - Advanced Outbound NAT)

    I check, i have some "Auto created rule for localhost to OPT1" or "Auto created rule for LAN to OPT1", may by i have to add them for "Auto created rule for VTI_IOSEC to OPT1" too ?



  • Whether you have to use NAT it depends on your networking setup. Did you try to use "traceroute" to trace how far the packet reaches? Try to disable the firewall functionality to confirm that the issue isn't caused by firewall rules.



  • @lecygne said in Access remote subnet through IPSEC VTI ?:

    Whether you have to use NAT it depends on your networking setup. Did you try to use "traceroute" to trace how far the packet reaches? Try to disable the firewall functionality to confirm that the issue isn't caused by firewall rules.

    During the lunch break, i upgrade to latest pfsense 2.4.4-p2 and reboot, no change.
    Then i cleanup my Outbound NAT rules :

    Just 3 rules for WAN /OPT1 (source 127.0.0.1, source local subnet, destination 500) and everything is working from LAN !

    Then i just add a Outbound NAT rule source 192.168.110.0/24 (my remote subnet behind IPSEC) to OPT1 and remote subnet got access to server behind OPT1.

    Now i just need to understand where i can add rules if i want to limit access to this remote subnet.



  • @yathus said in Access remote subnet through IPSEC VTI ?:

    Now i just need to understand where i can add rules if i want to limit access to this remote subnet.

    it's done too, i just have to add a rule in firewall and wait (or kill states...).