IPSec, internal traffic issue with Phase 2 destination.

  • I've done run out of idea's on how to get this to work and was hoping to get some help.

    To summarize, I have an internal LAB connecting to a remote peer which I want to send all internet traffic to. The WAN interface is configured to a subnet and the LAN interface is configured to subnet.

    I want the LAN and WAN networks to be able to talk to eachother, and they are able to, until the IPSec tunnel is enabled and connected. Based off a packet capture, the incoming traffic (from WAN), never makes it's way to the LAN interface. I only see the traffic hitting the WAN interface.

    When I disable IPSec, internal communication between the WAN and LAN interfaces start working again.

    More defined details:

    WAN's default gateway is, via my home router.
    PFSense is a VM hosted on ESXI:
    WAN interface > default gateway
    LAN interface
    There's a static route on my home router to point all traffic to

    Outbound NAT mode is configured via Automatic.
    Firewall is disabled (I also tried enabled with firewall rules allowing all between the networks.)
    I also created a firewall rule with advanced features pointing the LAN to send traffic to Gateway vs the "default". That did not work either.

    I haven an IPSec tunnel configured on the LAN interface, with Phase 2 SA from "source" as LAN subnet and destination as

    When the IPSec tunnel is up and running, the 2 local subnets (WAN and LAN cannot communicate with each other (as mentioned).

    Initially I assumed the traffic was reaching the intended destination ( from the network, but the response was being sent via the IPSec tunnel, but based off a PCAP on the WAN interface, the LAN interface, and the IPSec tunnel, I only see the traffic hitting the WAN interface, and not hitting any other interfaces, so it's never hitting the destination at all when IPSec is up and running.

    I've tried a static route to point all to, but no luck.

    I'm stumped.

  • I was able to work around this by utilizing a VTI tunnel instead, using that VTI as default gateway, in parallel with static route for to head to home router.

    Bi-directions firewall rules allowing WAN/LAN traffic.