Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Static routes ignored with the IPsec interface

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 255 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      executifs
      last edited by

      Hello! First poster here, hopefully I'm not breaking any rules.

      I have connected a pfSense instance (10.0.0.8) to a vendor network with an IPsec tunnel. The objective is very simple: for the machines in my local machine to be able to talk to a single host (10.80.70.11).
      The tunnel seems to work fne, as from 10.0.0.8 I can ping 10.80.70.11 without any problem. I configured IPsec in VTI mode and created an interface as explained in the docs:

      alt text

      After verifying that packets from my local machines for 10.80.70.11 are correctly routed to 10.0.0.8, I added the following static rule:

      alt text

      Unfortunately, this doesn't seem to work for me. When I go to the Diagnostics > Routes tab, this route is not shown. Local testing on 10.0.0.8 shows that the route doesn't exist at all as 10.80.70.11 gets triaged into 0.0.0.0:

      [2.7.1-RELEASE][admin@pfsense]/root: route -n get 10.80.70.11
   route to: 10.80.70.11
destination: 0.0.0.0
       mask: 0.0.0.0
    gateway: 10.0.0.254
        fib: 0
  interface: em0
      flags: <UP,GATEWAY,DONE,STATIC>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0

      The weird thing is, if I change the interface of the route to something else (like null4), suddenly the rule appears in the diagnostics and from the command line:

      [2.7.1-RELEASE][admin@pfsense]/root: route -n get 10.80.70.11
   route to: 10.80.70.11
destination: 10.80.70.11
        fib: 0
  interface: lo0
      flags: <UP,HOST,DONE,STATIC,BLACKHOLE>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0     16384         1         0

      And meanwhile, when the correct static route is ignored, I am still able to ping 10.80.70.11 from the command line, which I cannot understand since the system routes don't even work:

      [2.7.1-RELEASE][admin@pfsense]/root: ping 10.80.70.11
PING 10.80.70.11 (10.80.70.11): 56 data bytes
64 bytes from 10.80.70.11: icmp_seq=0 ttl=128 time=20.868 ms
64 bytes from 10.80.70.11: icmp_seq=1 ttl=128 time=20.493 ms
64 bytes from 10.80.70.11: icmp_seq=2 ttl=128 time=20.645 ms
64 bytes from 10.80.70.11: icmp_seq=3 ttl=128 time=20.301 ms

      If anyone were so kind as to point out what I did wrong, it would be very appreciated.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.