IPSec, internal traffic issue with 0.0.0.0 Phase 2 destination.
I've done run out of idea's on how to get this to work and was hoping to get some help.
To summarize, I have an internal LAB connecting to a remote peer which I want to send all internet traffic to. The WAN interface is configured to a 192.168.0.0/24 subnet and the LAN interface is configured to 172.16.0.0/24 subnet.
I want the LAN and WAN networks to be able to talk to eachother, and they are able to, until the IPSec tunnel is enabled and connected. Based off a packet capture, the incoming traffic (from WAN), never makes it's way to the LAN interface. I only see the traffic hitting the WAN interface.
When I disable IPSec, internal communication between the WAN and LAN interfaces start working again.
More defined details:
WAN's default gateway is 192.168.0.1, via my home router.
PFSense is a VM hosted on ESXI:
WAN interface 192.168.0.10 > default gateway 192.168.0.1
LAN interface 172.16.0.1
There's a static route on my home router to point all 172.16.0.0/24 traffic to 172.16.0.1.
Outbound NAT mode is configured via Automatic.
Firewall is disabled (I also tried enabled with firewall rules allowing all between the networks.)
I also created a firewall rule with advanced features pointing the LAN to send 192.168.0.0/24 traffic to Gateway 192.168.0.1 vs the "default". That did not work either.
I haven an IPSec tunnel configured on the LAN interface, with Phase 2 SA from "source" as LAN subnet and destination as 0.0.0.0/0.
When the IPSec tunnel is up and running, the 2 local subnets (WAN 192.168.0.0/24 and LAN 172.16.0.0/24) cannot communicate with each other (as mentioned).
Initially I assumed the traffic was reaching the intended destination (172.16.0.10) from the 192.168.0.0/24 network, but the response was being sent via the IPSec tunnel, but based off a PCAP on the WAN interface, the LAN interface, and the IPSec tunnel, I only see the traffic hitting the WAN interface, and not hitting any other interfaces, so it's never hitting the destination at all when IPSec is up and running.
I've tried a static route to point all 192.168.0.0/0 to 192.168.0.1, but no luck.
I was able to work around this by utilizing a VTI tunnel instead, using that VTI as default gateway, in parallel with static route for 192.168.0.0/24 to head to home router.
Bi-directions firewall rules allowing WAN/LAN traffic.