IPSec, internal traffic issue with 0.0.0.0 Phase 2 destination.


  • I've done run out of idea's on how to get this to work and was hoping to get some help.

    To summarize, I have an internal LAB connecting to a remote peer which I want to send all internet traffic to. The WAN interface is configured to a 192.168.0.0/24 subnet and the LAN interface is configured to 172.16.0.0/24 subnet.

    I want the LAN and WAN networks to be able to talk to eachother, and they are able to, until the IPSec tunnel is enabled and connected. Based off a packet capture, the incoming traffic (from WAN), never makes it's way to the LAN interface. I only see the traffic hitting the WAN interface.

    When I disable IPSec, internal communication between the WAN and LAN interfaces start working again.

    More defined details:

    WAN's default gateway is 192.168.0.1, via my home router.
    PFSense is a VM hosted on ESXI:
    WAN interface 192.168.0.10 > default gateway 192.168.0.1
    LAN interface 172.16.0.1
    There's a static route on my home router to point all 172.16.0.0/24 traffic to 172.16.0.1.

    Outbound NAT mode is configured via Automatic.
    Firewall is disabled (I also tried enabled with firewall rules allowing all between the networks.)
    I also created a firewall rule with advanced features pointing the LAN to send 192.168.0.0/24 traffic to Gateway 192.168.0.1 vs the "default". That did not work either.

    I haven an IPSec tunnel configured on the LAN interface, with Phase 2 SA from "source" as LAN subnet and destination as 0.0.0.0/0.

    When the IPSec tunnel is up and running, the 2 local subnets (WAN 192.168.0.0/24 and LAN 172.16.0.0/24) cannot communicate with each other (as mentioned).

    Initially I assumed the traffic was reaching the intended destination (172.16.0.10) from the 192.168.0.0/24 network, but the response was being sent via the IPSec tunnel, but based off a PCAP on the WAN interface, the LAN interface, and the IPSec tunnel, I only see the traffic hitting the WAN interface, and not hitting any other interfaces, so it's never hitting the destination at all when IPSec is up and running.

    I've tried a static route to point all 192.168.0.0/0 to 192.168.0.1, but no luck.

    I'm stumped.


  • I was able to work around this by utilizing a VTI tunnel instead, using that VTI as default gateway, in parallel with static route for 192.168.0.0/24 to head to home router.

    Bi-directions firewall rules allowing WAN/LAN traffic.