Netgate 7100 pfSense 24.11 upgrade breaks ipsec tunnel
-
I have two IPsec tunnels: "con1" with route based (vti), and the other "con2" with policy based (tunnel mode), on my netgate 7100 running 24.03 fine, after I tweaked the configurations as documented in https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#interface-bound-states and followed "The most compatible method is to add rules using the floating policy for IPsec VTI traffic".
Today I upgraded to 24.11, the ipsec with vti ("con1") seems working fine, but the ipsec tunnel mode ("con2") seems be broken. A tcpdump shows the outgoing traffic that is meant for the ipsec tunnel now goes out to the WAN interface, instead of enc0. Do I need to make any config changes as part of the 24.11 upgrade in order to make the ipsec tunnel mode to work? BTW, both phase 1 and phase 2 status show green and established.
I did two tests with "con2":
-
From a host on the local lan behind pfsense, initiate a connection to remote lan. This fails. tcpdump -i enc0 on the pfsense doesn't show this test traffic, but tcpdump -i wan_interface shows. This means the traffic is incorrectly leaked to wan.
-
On pfsense itself, initiate a connect to remote lan: "ping -S local_lan_interface_ip remote_lan_ip" works fine. tcpdump -i enc0 shows the test traffic. tcpdump -i wan_interface doesn't. This means the traffic is correctly routed via the ipsec, not leak to wan.
Prior to the 24.11 upgrade, both tests worked.
-
-
I do notice in 24.11, the LAN interface and LAN subnet are having a different link number:
192.168.6.0/24 link#21 U lagg0.4091 192.168.6.1 link#16 UHS lo0You can see link#21 vs link#16.
I don't have a 24.03 anymore, but on my other 22.05, the link numbers are same:
10.147.10.0/24 link#20 U lagg0.40 10.147.10.1 link#20 UHS lo0Could this impact how ipsec policy does the route selection?