Disable filtering/scrubbing through VPN - How?
-
I have a site-to-site VPN as a fallback/backup link between three sites in a full mesh. The primary link is through (unreliable) MPLS.
At each site I have Cisco routers that track the far side MPLS routers using IP SLA monitor. If the MPLS link goes down, the routers flips the routes to the pfSense firewalls for traffic to be routed over the VPN.
The VPNs are kept alive at all time through keep-alive. I have verified that they do stay up.
The Cisco side of the setup works well.
My problem is that all established TCP sessions drop when the route flips from the MPLS to the VPN. It appears that pfSense does a TCP state inspection of the packet and drops the packet because it did not see the session establish through it. I have verified this through different packet captures.
Turning off scrubbing and packet filtering has no effect.
This is through IPSec VPN. I have not tried OpenVPN.
Ideas?
-
Gave up on trying to do this. Instead created tunnel interfaces on the ciscos and am letting MPLS failover to GRE tunnels. Working surprising well. Doing port forwarding for GRE for the IP of hte router. Wanted to keep all the router IPs behind the firewall.