Routing Traffic Across 2 VPNs

planedrop

Been trying to wrap my brain around this and for some reason I can't figure it out.

Long story short, I have a wireguard mobile VPN, the client on that VPN needs to access a service on a subnet that the WireGuard "server" has a connection to over IPSec.

So: client > WireGuard "server" pfsense > IPsec VPN > remote service

I've got rules in place to pass the traffic on WireGuard to the subnets across the IPsec VPN, but no matter what I do pfSense running WireGuard replies with a syn closed instead of forwarding the packets.

I'm sure it's something simple that I'm missing but just need another set of eyes on it I guess.

planedrop

So now I've confused myself more, it seems that pfSense is sending these packets outside it's default gateway (wan) as if it doesn't have a route but it definitely has a route since every LAN interface directly on pfSense can send traffic over this IPSec VPN just fine.

stephenw10

If you're using policy based IPSec (not VTI, route based) then you need a phase 2 policy in the IPSec tunnel to cover the traffic from the Wireguard subnet to the remote service subnet. It sounds like you don't have one so pfSense uses it;s default route to try to reach it.

Steve

planedrop

@stephenw10 You are 100% absolutely right, knew it had to be something stupid I was missing lol. Good to go now ,thanks!