Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VTI Ipsec Dynamic Rules (solved)

    Scheduled Pinned Locked Moved IPsec
    8 Posts 2 Posters 861 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      martintamare
      last edited by martintamare

      Hello there,

      We are facing an issue regarding dynamic rules on the PF.

      Site A :

      • LAN : 192.168.100.0/24
      • VTI : 172.16.0.5/30

      Site B :

      • 192.168.42.0/24
      • VTI : 172.16.0.6/20

      Tunnel is UP and active

      Site A : On the LAN interface, I added a rule :

      • SRC : LAN Net
      • DST : 192.162.42.0/24 -> GW : the one auto created by the VTI interfaces

      Site B : On the LAN interface, I added a rule :

      • SRC : LAN Net
      • DST : 192.162.100.0/24 -> GW : the one auto created by the VTI interfaces

      When I ping a host on site B from site A :

      • I see the packet on Site A LAN
      • I see the packet on Site A IPSEC Interface
      • I see the packet on site B IPSEC Interface
      • I see the packet on site B LAN
      • I see the answer on site B LAN
        => packet then disappear

      IPSec interface has an allow all policy.

      The issue is not present when I add a static route on both site.
      To my understanding, It should also work with the policy rules.

      Any idea ? Am I missing something ?

      Regards,

      K 1 Reply Last reply Reply Quote 0
      • K
        Konstanti @martintamare
        last edited by Konstanti

        @martintamare

        you must create static routes on both sides of the tunnel (In your case, you don't need PBR . It is enough to create static routes)

        https://pfsense-docs.readthedocs.io/en/latest/vpn/ipsec/ipsec-routed.html

        https://www.youtube.com/watch?v=AKMZ9rNQx7Y&t=1098s (21:55)

        1 Reply Last reply Reply Quote 0
        • M
          martintamare
          last edited by

          If I'm reading right, Policy Based Routing should work ?

          K 1 Reply Last reply Reply Quote 0
          • K
            Konstanti @martintamare
            last edited by Konstanti

            @martintamare
            Either NAT outbound or static routes

            VTI do not have the reply-to function

            1 Reply Last reply Reply Quote 0
            • M
              martintamare
              last edited by

              Ok thanks for clarification.

              K 1 Reply Last reply Reply Quote 0
              • K
                Konstanti @martintamare
                last edited by Konstanti

                @martintamare
                Your solution

                1. NAT OUTBOUND + PBR
                2. STATIC ROUTES + PBR
                3. STATIC ROUTES
                4. STATIC ROUTES + NAT OUTBOUND
                1 Reply Last reply Reply Quote 0
                • M
                  martintamare
                  last edited by

                  I chose Static Routes + PBR (both are needed if the whole lan need to be connected)
                  And now I'm moving to Dynamic Routing to create a hub & spoke configuration.

                  1 Reply Last reply Reply Quote 0
                  • M
                    martintamare
                    last edited by

                    So for people who are facing the same issues.

                    You need both a route on the pfsense (you must be able to see it with netstat -rn)
                    And then, according to your firewall policy rules :

                    • if you use the default gateway (*) in your rules : OK
                    • if you use a specific gateway or a gateway group : assign a new rule throught the ipsec gateway

                    I think the documentation should mentionned it. I'm not a native english speaker and after reading the doc, I thought, either static routes OR policy rules should work. But it's not an OR, it's an AND :)

                    Regards

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.