Problems with routed IPsec VTI



  • I am working on transitioning from Edgerouter to Pfsense and ran into the VTI/NAT problem. I have spent hours on reading posts and documentation from pfSense and FreeBSD going back to 2015. I am almost ready to throw in the towel but maybe there is a solution?

    Setup: We have a routed IPsec connection which is only used from our end to reach the clients resources. There are dozens of subnets that need to be routed thru the tunnel, both internal and external type IPs. For this reason, the other end has 0.0.0.0/0 and no interface IP assigned. I have an alias for all subnets to make things easier.

    On the edgerouter, things were pretty simple. I was instructed to set the VTI interface to 10.x.x.209/29 and NAT everything on 10.x.x.208.

    On pfSense, from what I have read, this is broken and traffic will not come back VTI to my LAN. Packet capture confirmed that traffic is returning when 208 NAT is used and stops before getting to LAN.
    https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ipsec-routed.html#caveats
    Per the last sentence in the documentation. "NAT to the interface address works"

    Is there anyway possible for me to set the VTI interface to 10.x.x.208 and use NAT? Or am I not understanding this statement correctly.

    This is a major show stopper for me and I am not sure what to do now. Is this something that will be fixed in 2.5.0 with FreeBSD 12? It seems like this problem has been known for years and it is a real shame that I can't use my favorite firewall if this is the case.

    Thanks for any advice.



  • if you like to route dozens of subnets , it will be better to use dynamic routes like ospf or BGP.



  • I made an alias and was able to capture everything in 25 entries. I won't be adding more that 1 line every few months.

    Would dynamic routes solve the NAT issue?


Log in to reply