IPSec VTI is a dream...



  • Hello,

    Have been running pfsense for quite many years incl. IpSec
    and have always found the strange and cumbersome way
    the traditional IpSec handles the "routing" of subnets a bit frustrating.

    This until the VTI was introduced which has been very liberating. 🙂
    I REALLY do like this and has worked wonders in my system where
    OS based routing could be used and there is full transparent
    of what goes where... I would like to thank the one adding this.
    And of course to all the contributors to the whole pfsense project. Kudos...

    I have a dual site to site IpSec VTI setup where everyone routes to everyone
    as all was all within same location.

    Location 1. Location 2. Location 3.
    Lan1 - pfsense1 -IpSec - pfsense2 - Lan2 / IpSec - pfsense3 - Lan3

    #1. 192.168.120.0 / 121.0
    #2. 192.168.10.0 / 12.0
    #3. 192.168.20.0
    All 5 nets could reach each other from any of the locations.
    Of course through rules...

    Works like a charm. One thing to think of is that the transport net sometimes
    will be the source address of packets so this needs to be included in rules...

    Have not tested routing protocols such as ospf yet as my net is to small
    and feels a bit overkill.

    As I have everything setup working with VTI I could help out if I can
    if someone's need any help, hints to the right direction and possible pitfalls.

    Best regards
    Dan Lundqvist
    Stockholm, Sweden


Log in to reply