Can I route internet traffic from site B through site A via Ipsec VTI?
-
@ngoehring123
The first time such see
Show me what the command shows
pfctl -sr | grep enc0
(WebGUI /Diagnostics/Command Prompt/) -
pass out on enc0 all flags S/SA keep state label "IPsec internal host to host"
pass quick on enc0 inet all flags S/SA keep state label "USER_RULE"
pass in quick on enc0 inet all flags S/SA keep state label "USER_RULE" -
@ngoehring123
And still try in floating rule put option TCP Flags - ANY Flags and State type None -
So firewall is still having events however now the interface has changed from ipsec to IPSEC_VTI. ???
-
@ngoehring123 said in Can I route internet traffic from site B through site A via Ipsec VTI?:
IPSEC_VTI
That's the same floating rule , but for IPSEC_VTI ?
There will be two identical rules , one for IPSEC and the other for VTI -
I just have the one floating rule for ipsec. When I made those last changes you suggested the firewall errors started saying IPSEC_VTI instead of ipsec. I had to disable those last changes as they resulted in me losing access to the remote router. Thank goodness for openvpn.
-
@ngoehring123
Excuse. I didn't think there would be such a result. I have no more ideas )))
-
No worries my friend. Your time and effort is greatly appreciated. Here's to hoping this gets sorted out soon. I'll be sure to share the fix with you. Thanks again!
-
@ngoehring123
I would consider an option of the usual IPSEC tunnel, through it too it is possible to pass a traffic outside.
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/routing-internet-traffic-through-a-site-to-site-ipsec-vpn.html
-
I had thought of doing that as well but really like the routed option more due to its flexibility and power. Perhaps @jimp has some tips for me.
-
The really weird thing now is that my phone says I have no internet connection yet here I am writing to you and browsing the internet. Something is ascew...
-
@ngoehring123
That's possible. I myself use the GRE over IPSEC option and do not want to switch to VTI yet.
Will wait to hear other forum members -
@ngoehring123
In this forum, I read that some remove the VTI interface, re-create the tunnel , and the problems are solved -
I'll give that a go. After everything else, it won't hurt!
-
Hi,
I have the exactly same problem, did you get find any solution? -
I did not. Last thing I tried was to remove the interface, delete the static routes, and the remove the p1 and p2 and do it all over again. No luck. So I went back to openvpn. I was super excited to use the ipsec route instead due to the better throughput and all.
-
Openvpn is cool , but unfortunately Iran's government filter it here, so we must find another solution.
-
Yeah I'm in a part of the world where I want the anonymity as well. Have you tried openvpn on port 443? Or does Iran filter on something more specific?
-
@ngoehring123 Tried that either
-
Trying to get this working between China and USA.
I've got a stable VTI network, and traffic passes successfully between the machines on both LAN ends.I create a LAN rule on the China router to use the gateway on the USA router, and it looks like some traffic is tunneled through, but not everything.
Webpages from a laptop can load some elements, but not all; and webpages from a phone don't work much at all.
I had this working on the old IPSEC with the 0.0.0.0/0 phase 2, but I really want to change over to routed IPSEC to address some other issues.