Routing through Routed (VTI) IPsec connection
-
Hello,
I have a very strange routing problem that has been driving me nuts for days. Hosts on the two networks connected through the Routed IPsec connection cannot ping each other even if everything seems to be working ok. The pings go through from one local LAN to the remote firewall's tunnel address but cannot go through to the remote LAN. Firewall rules are not a problem as corresponding states get created and there are no blocked packets logged in the firewall log.
More details:
I have two pfSense firewalls in two locations (NetGate 6100 and 7100) with respective local networks:
- site 1: 192.168.0.0/24
- site 2: 192.168.80.0/24
Between the two sites I have set up Routed (VTI) IPsec connection (as described here) with the tunnel network 172.16.0.0/30 and addresses:
- site 1: 172.16.0.1
- site 2: 172.16.0.2
I have also:
- Set up firewall rules on the IPSec tabs to allow all traffic
- Assigned tunnel interfaces which also show up as gateways
- Added static routes to remote networks:
** Site 1: 192.168.80.0/24 -> 172.16.0.2
** Site 2: 192.168.0.0/24 -> 172.16.0.1
Resulting situation is that:
- Ping 172.16.0.1 <-> 172.16.0.2 works in both directions (ping between pfSense boxes through tunnel works)
- Ping 192.168.0.x <-> 172.16.0.2 and 192.168.80.x <-> 172.16.0.1 both work in both directions (pings between clients in one network and the pfSense boxes in another network on the tunnel interface work)
- Ping 192.168.0.x <-> 192.168.80.x does not work in either direction, even to/from the LAN interfaces of the pfSense boxes (192.168.0.1 and 192.168.80.1)
- Firewall is not blocking the traffic, there are allow rules and open state shows up for the ICMP request packets.
- tcpdump shows packets coming in on the tunnel interface, as stated above firewall state gets created but tcpdump does not show any packets leaving the LAN interface
Thanks for any ideas on what could be the issue here.
-
RESOLVED:
Answering my own thread to give the solution for other people looking into this problem in the future.
Just for the reference this is all for the pfSense plus 21.05.2-RELEASE.
For some reason this will work if you change the Firewall filtering to be done at the VTI interface level instead of at the enc0 interface level. You can change this if you go to the VPN -> IPSec select your Routed VTI phase 2 connection settings and got to the Advanced and change the "IPsec Filter Mode" setting to "Filter IPsec VT on assigned interfaces, block all tunnel mode traffic".
Note: Of course with this setting you will have to go to the Firewall -> Rules and add the necessary ruled under your VTI interface tab (that just showed up instead of the IPSec tab that was there by default when filtering was being done at the enc0 interface level).
Note2: this will only work if you have only Routed IPSec connections and will break all your policy based IPSec connections.
-