IPsec VTI tunnel problem with multiple subnets

HyperactiveSloth

I have setup a VTI-based IPsec tunnel between pfSense and a different FW (Sophos XGS).

Site A (pfsense): LAN 172.28.0.0/24
Site B (Sophos): LAN 192.168.1.0/24 and 192.168.20.0/24
tunnel net: 172.29.0.0/30

If I only enable one subnet on the Sophos side (and enable the correct route on the pfSense side) everything works perfectly.
If I enable the second subnet I can only reach the 192.168.1.0 net through the tunnel.

Here is the tunnel with both routes active:

"Remote" only shows the 20-net, because the 1-net was not enabled as a "local subnet" on the Sophos side.
As soon as I enable the second subnet "Remote" only shows 192.168.1.0/24 (instead of both networks).

I think I have a configuration error in my pfSense setup, but cannot completely rule out Sophos.

Any ideas?
What am i doing wrong?

keyser

@HyperactiveSloth That does not look like a VTI tunnel to me, but rather a policy routed tunnel. If that is the case, then your problem could be that you need to enable “split connections” on your phase one tunnels advanced settings.
It sound like the box in the other end does not support multiple traffic selectors in one phase two.

HyperactiveSloth

It is a VTI tunnel, as far as I can tell.
Sophos calls this a route-based site-to-site connection.

keyser

@HyperactiveSloth Hmm, my VTI tunnels status shows 0.0.0.0/0 as the network in both ends in order for me to assign what traffic goes down the tunnel (by assigning routes to the VTI Gateway created when the IPsec interface sis assigned).

Your IPsec status looks like a tunnelmode Phase 2, where the local/remote subnets are assigned in the Phase 2 settings.

Strange…. If it was tunnelmode I’m quite sure your issue is the “missing” split connections setting….

Guess I’m out of ideas :-(

tinfoilmatt

This post is deleted!