Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Feature Poll: Remove IPsec limitation when using both VTI and Tunnel-mode

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 493 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • keyserK Offline
      keyser Rebel Alliance
      last edited by

      Hi All

      Am I the only one that quite often gets “slammed” by the fact that pfSense cannot run IPsec VTI in the optimal config when there is also a need for Mobile Warrior IPsec (Tunnel-mode only)?
      PfSense does not support reply-to and NAT’ing options in VTI mode when the filtering and assignment mode needs to support tunnel-mode IPsec (mobile warrior). Another drawback caused by this: IPsec rules are much more understandable when using asigned interfaces with individual rules - but you can’t use it when you need to support tunnel-mode.

      I have 10+ customer instances where I had to resort to either using different pfSense boxes for S2S With IPsec in VTI mode, or install and use Wireguard for S2S. All because the customers use and love pfSenses Mobile Warrior IPsec which only runs tunnel-mode.
      This is a major inconvenience to me at least.

      Is there any chance this limitation could be removed in the future?

      Love the no fuss of using the official appliances :-)

      tinfoilmattT 1 Reply Last reply Reply Quote 0
      • tinfoilmattT Offline
        tinfoilmatt @keyser
        last edited by

        @keyser I know it's still basically a 'workaround,' but what say you about OpenVPN for the site-to-site tunnels on systems that must host roadwarrior VPN? OVPN is 'baked into' the system (or at least more deeply than WG I would presume), can be configured to utilize hardware acceleration, etc.?

        keyserK 1 Reply Last reply Reply Quote 0
        • keyserK Offline
          keyser Rebel Alliance @tinfoilmatt
          last edited by

          @tinfoilmatt I could just as well use OpenVPN for S2S as the workaround.
          But i Prefer Wireguard due to it’s simplicity - I find it’s just as fast as OpenVPN with hardware acc.

          There is nothing wrong with either of those options - it’s just not enough in many cases… I’m not always in control of the other ends hardware, and IPsec then becomes the golden standard, and thus required.

          Also, I much prefer to have only one VPN engine/setup running on pfSense - My “KISS OCD” does not like having multiple different VPN suites/rules and setups running when just IPSec should be enough.

          PS: The pfSense mobile warrior IPsec setup is not replaceable :-)
          I, and my customers, absolutely LOVE the pfSense Mobile VPN with it’s simple setup, and grouping of firewall rules due to multiple IP pools. Not having to deploy and maintain VPN clients, but just use the ones built into OS’s is an absolute WIN-WIN when coupled with 2FA from the MS Entra plugin to Microsofts NPS radius server.

          Love the no fuss of using the official appliances :-)

          1 Reply Last reply Reply Quote 1
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.