Routed IPSec reply-to



  • I know that in the documents it says the reply-to for IPSec does not currently work. Is there any known workaround to this? Or is it in the works to make it happen? I don't want to and create custom outbound nat rules for when someone tries to access a server inside the network in the far end.


  • Rebel Alliance Developer Netgate

    It's a limitation in FreeBSD and there isn't any way to know if/when it'll be fixed there. We may direct some resources toward it eventually but no ETA on when we might be able to do something like that.

    In some cases you may be able to work around it. If most of your needs are for web-based services then HAProxy may be able to help. Client on far side hits HAProxy which proxies to internal host... Since the remote client is talking to HAProxy, and HAProxy is talking to the server, no need for reply-to.



  • @jimp said in Routed IPSec reply-to:

    It's a limitation in FreeBSD and there isn't any way to know if/when it'll be fixed there. We may direct some resources toward it eventually but no ETA on when we might be able to do something like that.

    In some cases you may be able to work around it. If most of your needs are for web-based services then HAProxy may be able to help. Client on far side hits HAProxy which proxies to internal host... Since the remote client is talking to HAProxy, and HAProxy is talking to the server, no need for reply-to.

    I see. Well my use case is pretty insecure anyway. I have some applications in the far end of the tunnel where they can be accessed by using the local end of the tunnel's static IP. So all port forwards are done in the local end. Without reply-to, I have to create outbound NAT rules. But yeah, I shouldn't be exposing these in the Internet anyway and just use vpn remote access when I need to access their UI's.


Log in to reply