IPSEC site-to-site: All traffic through tunnel including Internet?



  • I am trying to create a site-to-site IPSEC tunnel with pfSense on one side and either a Sonicwall or Cisco IOS router on the head-end.  I've created the tunnels successfully both ways, but I can't get Internet traffic to go over the tunnel.  I don't want any user Internet traffic to originate from the pfSense WAN except the tunnel itself to the head-end VPN device.

    I can reach all internal resources just fine.  I use 0.0.0.0/0 as the tunnel definition on the pfSense side and the single class C (192.168.1.0 /24 for instance) on the head-end side pointing to the pfSense LAN.

    Whether the Cisco side is also the firewall to the Internet (hairpin), or whether I try to route internally to a different firewall, I can't get it to work right.  I'm sure I'm missing something obvious, but I can't find it.  The only thing that doesn't work is getting Internet traffic through the tunnel to the head-end.


  • Rebel Alliance Developer Netgate

    You may need to make sure that whatever device is actually handling the NAT before that traffic reaches the Internet is set to apply NAT to the subnet coming across IPsec.

    On pfSense, in some scenarios you need to add an manual outbound NAT rule to ensure that traffic coming from VPN clients has NAT applied before it tries to exit WAN, but I'm not sure what that might translate to on the other end if pfSense is the "client" side.



  • @jimp:

    You may need to make sure that whatever device is actually handling the NAT before that traffic reaches the Internet is set to apply NAT to the subnet coming across IPsec.

    On pfSense, in some scenarios you need to add an manual outbound NAT rule to ensure that traffic coming from VPN clients has NAT applied before it tries to exit WAN, but I'm not sure what that might translate to on the other end if pfSense is the "client" side.

    The firewall on the head end has a route back through the tunnel to the remote pfSense side and it will handle NAT for any network that comes to it.  I played with the NAT settings on the pfSense box and they didn't help.  I even turned them off since I really don't need NAT at all.  Nothing gets NAT'ed to the Internet from pfSense since I want 100% of the traffic to go through the tunnel.  But still no workie.



  • I am now trying a Sonicwall on the remote side and it's doing the same thing, so something is amuck on the head end.  The Sonicwall has a special checkbox to tunnel all traffic over the VPN, including Internet traffic.  It creates the appropriate 0.0.0.0/0.0.0.0 match over the VPN so everything is definitely going over it, but I'm not getting an Internet (only internal) connectivity.  At this point, I don't believe it was a pfSense issue.


Log in to reply