Rule to route some traffic through VTI tunnel not working
-
I have an existing tunnel linking one location (with a cisco router) to an AWS VPS. My goal is to add a second location in the mix. I tried using a pfsense box in this second location and setting up an VTI tunnel between the two locations. I have a firewall rule in the pfsense box to route the location 1 and AWS VPS subnets through the VTI interface. It works well between the two locations. However, it only works one way between location 2 and AWS VPS: I can ping and ssh from location 2 to AWS VPS but not the other way round.
I did packet captures while doing some ping tests between AWS VPS and location 2. When ping from location 2 to AWS VPS, the ping request was handled correctly: pfsense box routed it through VTI and the cisco router in location 2 routed it through the tunnel to reach AWS VPS. The ping reply followed the same path to get back to location2. All good.
When ping from AWS VPS to location 2, I found out the ping request reached location 2 along the same abovementioned path normally but when the ping reply reaches the pfsense box, it routed the ping reply through the WAN interface instead of the VTI which caused the ping to fail. Why the firewall rule applied to ping request packets in the first case as expected while it doesn't for the ping reply packets in the second case? All of them have same source and destination IP addresses. Any idea?