Routing Traffic Across 2 VPNs
-
Been trying to wrap my brain around this and for some reason I can't figure it out.
Long story short, I have a wireguard mobile VPN, the client on that VPN needs to access a service on a subnet that the WireGuard "server" has a connection to over IPSec.
So: client > WireGuard "server" pfsense > IPsec VPN > remote service
I've got rules in place to pass the traffic on WireGuard to the subnets across the IPsec VPN, but no matter what I do pfSense running WireGuard replies with a syn closed instead of forwarding the packets.
I'm sure it's something simple that I'm missing but just need another set of eyes on it I guess.
-
So now I've confused myself more, it seems that pfSense is sending these packets outside it's default gateway (wan) as if it doesn't have a route but it definitely has a route since every LAN interface directly on pfSense can send traffic over this IPSec VPN just fine.
-
If you're using policy based IPSec (not VTI, route based) then you need a phase 2 policy in the IPSec tunnel to cover the traffic from the Wireguard subnet to the remote service subnet. It sounds like you don't have one so pfSense uses it;s default route to try to reach it.
Steve
-
@stephenw10 You are 100% absolutely right, knew it had to be something stupid I was missing lol. Good to go now ,thanks!