multi Phase 2 with vti IPsec and tunnel for Site-to-Site IPsec for Internet Traffic



  • Hello

    I have the following setup:
    pfSense site A
    WAN 123.123.123.1
    LAN 192.168.1.0/24
    DMZ 192.168.2.0/24

    pfSense site B
    WAN 123.123.123.10 (and virtual IP 123.123.123.11)
    LAN 192.168.10.0/24

    I have a routed vti IPsec tunnel between site A and site B with static routes for 192.168.1.0/24 and 192.168.10.0/24 which is working fine.

    Now i wanted to add a site-to-site tunnel for the DMZ on site A and the pfSense on Site B. The internet traffic should be routed thourgh the ipsec tunnel.
    I followed the following tutorial:
    https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/routing-internet-traffic-through-a-site-to-site-ipsec-vpn.html

    For this scenario i added a second phase 2 entry:
    e0acba58-0f26-4af8-b5d0-41f2698cc60e-grafik.png

    Everything is also configured on the other side.
    The traffic from 192.168.2.0/24 to the internet always uses the gateway on site A, but i want it to be tunneld through the IPsec tunnel to site B. After some time everything breaks and nothing works anymore.

    It seems that 192.168.2.0/24 used the routed vti interface.

    Is there something wrong in my configuration?

    Thank you.


Log in to reply