Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routed IPSec reply-to

    Scheduled Pinned Locked Moved
    IPsec
    2
    4
    458
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kevindd992002
      last edited by

      I know that in the documents it says the reply-to for IPSec does not currently work. Is there any known workaround to this? Or is it in the works to make it happen? I don't want to and create custom outbound nat rules for when someone tries to access a server inside the network in the far end.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        It's a limitation in FreeBSD and there isn't any way to know if/when it'll be fixed there. We may direct some resources toward it eventually but no ETA on when we might be able to do something like that.

        In some cases you may be able to work around it. If most of your needs are for web-based services then HAProxy may be able to help. Client on far side hits HAProxy which proxies to internal host... Since the remote client is talking to HAProxy, and HAProxy is talking to the server, no need for reply-to.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        K 2 Replies Last reply Reply Quote 0
        • K
          kevindd992002 @jimp
          last edited by

          @jimp said in Routed IPSec reply-to:

          It's a limitation in FreeBSD and there isn't any way to know if/when it'll be fixed there. We may direct some resources toward it eventually but no ETA on when we might be able to do something like that.

          In some cases you may be able to work around it. If most of your needs are for web-based services then HAProxy may be able to help. Client on far side hits HAProxy which proxies to internal host... Since the remote client is talking to HAProxy, and HAProxy is talking to the server, no need for reply-to.

          I see. Well my use case is pretty insecure anyway. I have some applications in the far end of the tunnel where they can be accessed by using the local end of the tunnel's static IP. So all port forwards are done in the local end. Without reply-to, I have to create outbound NAT rules. But yeah, I shouldn't be exposing these in the Internet anyway and just use vpn remote access when I need to access their UI's.

          1 Reply Last reply Reply Quote 0
          • K
            kevindd992002 @jimp
            last edited by

            @jimp said in Routed IPSec reply-to:

            It's a limitation in FreeBSD and there isn't any way to know if/when it'll be fixed there. We may direct some resources toward it eventually but no ETA on when we might be able to do something like that.

            In some cases you may be able to work around it. If most of your needs are for web-based services then HAProxy may be able to help. Client on far side hits HAProxy which proxies to internal host... Since the remote client is talking to HAProxy, and HAProxy is talking to the server, no need for reply-to.

            For non-web-based services like Plex and Deluge where I need to port forward on the local end to access these servers on the far end, can HAProxy work? I tried outbound NAT with IPsec on the local end and it is not working. It works for OpenVPN just fine.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post