Traffic from internet through IPSEC VTI not returning the same way
-
@adrianesqq show rules on vlan5 interface
-
@konstanti
I will collect detailed info about config, firewall and post it. -
@adrianesqq
I tested it myself.
It seems that this option will not work
It only works for outgoing connections
Jump was right
Sorry for the mistake!
Remains the only option with NAT OUTBOUND
This scheme works fine
-
@konstanti
Thank you for help. Solution with nat is working.
The solution is:- Add SNAT on GW2
- Add static routing on GW1 back to GW2
I also tried to replace VTI with GRE over ipsec tunnel.
Result is the same as in case of VTI.
Packets do not return to GRE interface.@jimp Do you plan to add/repair return-to functionality? Can I post request somewhere?
-
@adrianesqq said in Traffic from internet through IPSEC VTI not returning the same way:
Do you plan to add/repair return-to functionality? Can I post request somewhere?
It's not up to us, it's broken in FreeBSD/pf
-
Has this been resolved in freebsd yet?
Thanks
-
No
-
Can you help me out with the same issue I'm having here?
I basically do the same thing. I have a port forward rule and an outbound NAT rule on Site A (GW2 in your example) so that I can reach a server in Site B (GW1 in your example) through Site A's public IP and for the return traffic from the server to return to Site A's IPsec interface. Doing a packet capture in Site A's IPsec interface, I do see the return traffic making it until that point but its destination IP is somehow not translated back to the original external public source IP so I don't see any return traffic on Site A's WAN interface.
How did you get this working with outbound NAT? I'm scratching my head for a few weeks now as I'm not getting any help :(
-
@kevindd992002
The solution for me was to use OPENVPN. Netgate informed me that there are some limitations in the free bsd software that cause this issue. I deleted my IPsec vpn and then built the site to site vpn using open vpn in pfsense. All my policy based routing worked fine after the switch.I am new to pfsense and was used to using IPsec vpn's with other firewalls. I had never used open vpn therefore I started with IPsec. Open vpn is very simple to setup and works well. I am using it for site to site vpn with pfsense on both sides as well as for mobile vpn.
Hope this helps you.
Eric
-
@e37921 said in Traffic from internet through IPSEC VTI not returning the same way:
@kevindd992002
The solution for me was to use OPENVPN. Netgate informed me that there are some limitations in the free bsd software that cause this issue. I deleted my IPsec vpn and then built the site to site vpn using open vpn in pfsense. All my policy based routing worked fine after the switch.I am new to pfsense and was used to using IPsec vpn's with other firewalls. I had never used open vpn therefore I started with IPsec. Open vpn is very simple to setup and works well. I am using it for site to site vpn with pfsense on both sides as well as for mobile vpn.
Hope this helps you.
Eric
Yeah, it's the other way around for me. Everything was working fine with OpenVPN but I needed to switch to IPsec because the bandwidth I'm getting with OpenVPN is limited by my hardware (APU2C4).
I consulted @jimp and confirmed that the workaround for this issues is this. The only caveat for setting that is it breaks policy-based IPsec tunnels, so if you use both route-based and policy-based then that would be a problem. As I'm using only route-based IPsec then I'm good. I'm testing now.