SG-3100 - routing all internet access over IPSEC tunnel
-
Here's a packet capture log from the interfaces on both the local and remote routers during an sftp transfer (tcp/22)
-
Hmm, so some of those seem OK, the local VTI cap for example.
How exactly were those taken? Not all at the same time I assume? And did the transfer fail every time?
Steve
-
One large download to the laptop was started over sftp.
Then the packet captures were taken sequentially, first on the local router, and then on the remote router, during the single file transfer.
After the packet captures were taken, the transfer was manually stopped.
What I found interesting was there was traffic on the wan side of the local router that appeared to be going directly to the sftp server. I expected this to all be inside the IPSEC tunnel.
-
What I found interesting was there was traffic on the wan side of the local router that appeared to be going directly to the sftp server. I expected this to all be inside the IPSEC tunnel.
If that is the case (I have not looked at the captures) you are not routing/policy routing the traffic into the IPsec correctly.
-
@Derelict I'm having this very issue with two SG-5100s using routed IPSEC. Would you be able to explain your solution a little bit more so that I can understand what I need to do on my end.
// I worked with a guy doing exactly this. He first tried this:
LAN <-> VTI (OB NAT) <-> VTI <-> WAN (OB NAT) <-> Internet
He changed it to this because of this limitation on NAT on the VTI interface:
LAN <-> VTI <-> VTI <-> WAN (OB NAT) <-> Internet
Setting the Outbound NAT on the WAN to NAT the LAN source addresses.
All works fine. I think he said he's getting 500Mbps or more over it.
You just have to make sure the WAN side has a gateway and a route back to the LAN network over the VTI.//I'm self taught and could use a slight hand holding on this one. Was super disappointed to encounter the issue using the routed IPSEC option but your info suggests current limitations can be overcome until the fix is made in FreeBSD. Appreciate any help you might be willing to provide.
-
What exactly do you have configured now? What works? What doesn't work?
The VTI interfaces have some limitations compared to other interface types, there is no reply-to feature due to where firewall rules are applied. Some NAT also cannot work because of that.
As long as you avoid those it should work.Steve
-
@stephenw10 appreciate the response. This thread (see link below) sums up my issues and Derelict later responded referring me back to this thread. I’m just trying to understand the solution he provides. Just looking for some explanation of the steps he outlines.
Original thread I started:
https://forum.netgate.com/topic/141613/can-i-route-internet-traffic-from-site-b-through-site-a-via-ipsec-vti
-
Does this help?
ETA: better resolution and firewall rule box.
-
@Derelict Most certainly. That's exactly how I have mine set up but am very glad to know this is how people smarter than I would do things. The biggest issue I suffer from is the 2xx ms latency due to distance between endpoints. Really do appreciate the extra help on this. Time is valuable and you let me have a little of yours.
-
@ngoehring123 Yeah. Can't help you with the latency. Glad it helped.