Routed (VTI) ipsec and gateway groups
-
Hi,
I created a routed ipsec tunnel (ie. VTI) between pfsense and another firewall. Works great. However, I want this to be only a backup link, normally traffic is routed through another gateway.
So I created a gateway group, which contains the "normal" gateway as tier 1 and ipsec vti gateway as tier 2. Again, works great, after adding a rule that has that gateway group configured for that traffic.
However, looking at generated firewall rules when system is routing through ipsec reveals something odd:
pass in quick on em1 route-to { (ipsec1000 10.254.0.1), (ipsec1000 10.254.0.1), (ipsec1000 10.254.0.1), (ipsec1000 10.254.0.1), (ipsec1000 10.254.0.1), (ipsec1000 10.254.0.1), (ipsec1000 10.254.0.1), (ipsec1000 10.254.0.1), (ipsec1000 10.254.0.1), (ipsec1000 10.254.0.1) } round-robin inet from any to 192.168.2.20 flags S/SA keep state label "USER_RULE"
For some reason the "ipsec1000 10.254.0.1" repeats many times in rule. When running through tier1 gateway things look normal:
pass in quick on em1 route-to (em0 5.135.194.65) inet from any to 192.168.2.20 flags S/SA keep state label "USER_RULE"
Maybe this is just a cosmetic problem ?
-
Did you set the weight on the IPsec gateway to 10? That's normal, if so.
The "weights" don't express a preference but rather a usage ratio. The ratio is accomplished by repeating the gateway multiple times.
-
Indeed, I have set weight to 10. Tried it before and forgot about having set it.
-
Outgoing LAN traffic runs fine with this, ie. traffic goes another router if it is up and backup IPsec VTI tunnel if router is down.
But what about incoming traffic ? Pfsense adds reply-to on rules related to interface of another router so return packets are routed always there. But what about IPsec VTI tunnel ? Adding a pass rule on IPSEC interface genererates a rule on enc0 without reply-to. Is this because rules cannot be added on "ipsec1000" interface that is related to tunnel ?
I'm thinking about having a static route to IPSEC tunnel so everything goes there by default. Router interface return traffic relies on reply-to that is present on rules. That should work, shoudn't it ?
-
IPsec interfaces don't support reply-to yet, so it's not possible to send traffic back down a different tunnel than the one it entered.