IPSec: UDP and ESP packages leaving different interfaces



  • 2.0-RC3 (i386) built on Thu Jul 14 01:23:35 EDT 2011

    First: I know about local services and static routes

    WAN1: IP 111.111.111.111 (interface used for ipsec)
    WAN2: IP 222.222.222.222 (default gateway)

    While the static routes (see my other topic) are not applied i have see this:

    • udp:500 packets with src ip 111.111.111.111 leaving WAN1

    • esp packets with src ip 111.111.111.111 leaving WAN2

    My questions:

    • Why leave packages interface WAN2 and not WAN1, if they have IP 111.111.111.111?

    • Why leave packages interface WAN2, if they have the wrong IP 111.111.111.111?

    • What the difference on routing off esp and udp to go different ways?

    One more question:
    "Disable reply-to on WAN rules" is deactivated. Why couldn't i ping the other WAN interfaces, if they not the default gateway?



  • Can you be more clear than just giving ropes of information.
    Please describe your setup and what is the issue you have.

    Same valid for the routes post.



  • OK. I will be more lyrical.

    I have a NSA with 6 LAN ports.
    em4 is LAN with static IP.
    em5 is WAN1 with static IP. The gateway is configured and set on WAN1 Inteface Tab as gateway.
    em0 is WAN2 with IP from DHCP.
    WAN3 is pppoe0 at interface em1.
    em2 and em3 not used.

    Gateway on interface WAN2 (em0) is set as default gateway.
    No other routing rule exists.

    I have configured an ipsec peer for interface WAN1 (without routing rule).

    Now i see that UDP:500 packages leave on interface WAN1 and the ESP packages leave on WAN2 (with src IP of WAN1).

    1. Why do i configure an interface (WAN1) on the ipsec connection, if the traffic leaves an other interface (WAN2)?
    2. Why leave a package an interface (WAN2) with a spoofed src IP of WAN1?
    3. Why didn't leave the packages interface WAN1 if they have an src IP of interface WAN1?



  • Do you have  any package installed?
    How hav eyou configured load balancing?



  • In this scenario I'm not so far to have load balancing or something else configured.
    I have only outgoing NAT (from private to all IPs) for the three WANs.

    Does loadbalancing change something for ipsec, if the pfsense the source of the packages?


Log in to reply