VTI Ipsec Dynamic Rules (solved)
We are facing an issue regarding dynamic rules on the PF.
Site A :
- LAN : 192.168.100.0/24
- VTI : 172.16.0.5/30
Site B :
- VTI : 172.16.0.6/20
Tunnel is UP and active
Site A : On the LAN interface, I added a rule :
- SRC : LAN Net
- DST : 220.127.116.11/24 -> GW : the one auto created by the VTI interfaces
Site B : On the LAN interface, I added a rule :
- SRC : LAN Net
- DST : 18.104.22.168/24 -> GW : the one auto created by the VTI interfaces
When I ping a host on site B from site A :
- I see the packet on Site A LAN
- I see the packet on Site A IPSEC Interface
- I see the packet on site B IPSEC Interface
- I see the packet on site B LAN
- I see the answer on site B LAN
=> packet then disappear
IPSec interface has an allow all policy.
The issue is not present when I add a static route on both site.
To my understanding, It should also work with the policy rules.
Any idea ? Am I missing something ?
you must create static routes on both sides of the tunnel (In your case, you don't need PBR . It is enough to create static routes)
If I'm reading right, Policy Based Routing should work ?
Either NAT outbound or static routes
VTI do not have the reply-to function
Ok thanks for clarification.
- NAT OUTBOUND + PBR
- STATIC ROUTES + PBR
- STATIC ROUTES
- STATIC ROUTES + NAT OUTBOUND
I chose Static Routes + PBR (both are needed if the whole lan need to be connected)
And now I'm moving to Dynamic Routing to create a hub & spoke configuration.
So for people who are facing the same issues.
You need both a route on the pfsense (you must be able to see it with netstat -rn)
And then, according to your firewall policy rules :
- if you use the default gateway (*) in your rules : OK
- if you use a specific gateway or a gateway group : assign a new rule throught the ipsec gateway
I think the documentation should mentionned it. I'm not a native english speaker and after reading the doc, I thought, either static routes OR policy rules should work. But it's not an OR, it's an AND :)