Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec: UDP and ESP packages leaving different interfaces

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    5 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      ggzengel
      last edited by

      2.0-RC3 (i386) built on Thu Jul 14 01:23:35 EDT 2011

      First: I know about local services and static routes

      WAN1: IP 111.111.111.111 (interface used for ipsec)
      WAN2: IP 222.222.222.222 (default gateway)

      While the static routes (see my other topic) are not applied i have see this:

      • udp:500 packets with src ip 111.111.111.111 leaving WAN1

      • esp packets with src ip 111.111.111.111 leaving WAN2

      My questions:

      • Why leave packages interface WAN2 and not WAN1, if they have IP 111.111.111.111?

      • Why leave packages interface WAN2, if they have the wrong IP 111.111.111.111?

      • What the difference on routing off esp and udp to go different ways?

      One more question:
      "Disable reply-to on WAN rules" is deactivated. Why couldn't i ping the other WAN interfaces, if they not the default gateway?

      1 Reply Last reply Reply Quote 0
      • E
        eri--
        last edited by

        Can you be more clear than just giving ropes of information.
        Please describe your setup and what is the issue you have.

        Same valid for the routes post.

        1 Reply Last reply Reply Quote 0
        • G
          ggzengel
          last edited by

          OK. I will be more lyrical.

          I have a NSA with 6 LAN ports.
          em4 is LAN with static IP.
          em5 is WAN1 with static IP. The gateway is configured and set on WAN1 Inteface Tab as gateway.
          em0 is WAN2 with IP from DHCP.
          WAN3 is pppoe0 at interface em1.
          em2 and em3 not used.

          Gateway on interface WAN2 (em0) is set as default gateway.
          No other routing rule exists.

          I have configured an ipsec peer for interface WAN1 (without routing rule).

          Now i see that UDP:500 packages leave on interface WAN1 and the ESP packages leave on WAN2 (with src IP of WAN1).

          1. Why do i configure an interface (WAN1) on the ipsec connection, if the traffic leaves an other interface (WAN2)?
          2. Why leave a package an interface (WAN2) with a spoofed src IP of WAN1?
          3. Why didn't leave the packages interface WAN1 if they have an src IP of interface WAN1?

          1 Reply Last reply Reply Quote 0
          • E
            eri--
            last edited by

            Do you have  any package installed?
            How hav eyou configured load balancing?

            1 Reply Last reply Reply Quote 0
            • G
              ggzengel
              last edited by

              In this scenario I'm not so far to have load balancing or something else configured.
              I have only outgoing NAT (from private to all IPs) for the three WANs.

              Does loadbalancing change something for ipsec, if the pfsense the source of the packages?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.