• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Static routes ignored with the IPsec interface

Scheduled Pinned Locked Moved IPsec
1 Posts 1 Posters 236 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • E
    executifs
    last edited by Feb 9, 2024, 2:58 PM

    Hello! First poster here, hopefully I'm not breaking any rules.

    I have connected a pfSense instance (10.0.0.8) to a vendor network with an IPsec tunnel. The objective is very simple: for the machines in my local machine to be able to talk to a single host (10.80.70.11).
    The tunnel seems to work fne, as from 10.0.0.8 I can ping 10.80.70.11 without any problem. I configured IPsec in VTI mode and created an interface as explained in the docs:

    alt text

    After verifying that packets from my local machines for 10.80.70.11 are correctly routed to 10.0.0.8, I added the following static rule:

    alt text

    Unfortunately, this doesn't seem to work for me. When I go to the Diagnostics > Routes tab, this route is not shown. Local testing on 10.0.0.8 shows that the route doesn't exist at all as 10.80.70.11 gets triaged into 0.0.0.0:

    [2.7.1-RELEASE][admin@pfsense]/root: route -n get 10.80.70.11
   route to: 10.80.70.11
destination: 0.0.0.0
       mask: 0.0.0.0
    gateway: 10.0.0.254
        fib: 0
  interface: em0
      flags: <UP,GATEWAY,DONE,STATIC>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0

    The weird thing is, if I change the interface of the route to something else (like null4), suddenly the rule appears in the diagnostics and from the command line:

    [2.7.1-RELEASE][admin@pfsense]/root: route -n get 10.80.70.11
   route to: 10.80.70.11
destination: 10.80.70.11
        fib: 0
  interface: lo0
      flags: <UP,HOST,DONE,STATIC,BLACKHOLE>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0     16384         1         0

    And meanwhile, when the correct static route is ignored, I am still able to ping 10.80.70.11 from the command line, which I cannot understand since the system routes don't even work:

    [2.7.1-RELEASE][admin@pfsense]/root: ping 10.80.70.11
PING 10.80.70.11 (10.80.70.11): 56 data bytes
64 bytes from 10.80.70.11: icmp_seq=0 ttl=128 time=20.868 ms
64 bytes from 10.80.70.11: icmp_seq=1 ttl=128 time=20.493 ms
64 bytes from 10.80.70.11: icmp_seq=2 ttl=128 time=20.645 ms
64 bytes from 10.80.70.11: icmp_seq=3 ttl=128 time=20.301 ms

    If anyone were so kind as to point out what I did wrong, it would be very appreciated.

    1 Reply Last reply Reply Quote 0
    1 out of 1
    • First post
      1/1
      Last post
    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
      This community forum collects and processes your personal information.
      consent.not_received