How to handle IPsec with Dual WAN?



  • I have 2 WAN connections: DSL and Cable.  I have an IPsec VPN setup on the DSL WAN (primary WAN interface) for 10.0.0.0/16.

    I can't figure out how to route all traffic to 10.0.0.0/16 from my LAN 192.168.100.0/24 over the VPN.  I tried adding a LAN firewall rule forcing all traffic for the 10-net to my WAN IP gateway, but this doesn't work.

    If I try to ping a host on the remote network, my state table shows it going out my internet interface:

    
    icmp  	192.168.100.11:18245 -> <dsl public="" ip="">:23317 -> 10.0.0.1  	0:0</dsl> 
    


  • You have to use gateway default instead of the interface IP of your WAN. In your case you route the traffic directly to the upstream gateway so  ipsec doesn't even see it and the traffic doesn't get encapsulated.



  • Thanks, that makes sense.  I'm still unable to ping the remote network.

    Should I be able to ping the remote network from the pfsense shell?  I'm not clear on how routing is handled from the local pfsense box.

    One interesting thing, if I try a traceroute to the remote network from my LAN, I get this:

    
    traceroute to 10.0.0.1 (10.0.0.1), 64 hops max, 40 byte packets
     1  pfsense (192.168.100.1)  1.975 ms  1.560 ms  1.506 ms
     2  pfsense (192.168.100.1)  104.110 ms  107.204 ms  106.243 ms
     3  * * *
    
    

    I think this means it's reaching the other side of the tunnel at least.



  • You need to use the lan ip if as source if you try to ping through the tunnel from the pfsense itself. Try from a client behind the pfSense or use as source the LAN IP. At the webgui for example use interface lan at diagnostics>ping. Other option is to add a static route to remotesubnet via gateway lan IP of local pfSense.


Log in to reply