"Routing" over IPSec tunnel - pfSense <-> Astaro



  • I've got a pretty simple setup that I'm trying to get working. I'm at a remote office, and the home office has an Astaro (Linux) security appliance, over which I have complete control. I created an IPSec tunnel to the Astaro from pfSense, and it came up on the first try. I was elated. But then I realized that DNS queries to the local domain (i.e. Active Directory) weren't resolving over the tunnel. (I've set up a DNS forwarder on the pfSense box for the local domain to a DNS server at the home office.)

    So after some poking around, I've found that my entire subnet routes perfectly to the home office and back, except for traffic originating at the firewall. From there, I can't reach anything at all at the home office. I've set up rules in both directions allowing all traffic, and from the home office I can ping anything in my subnet, including the pfSense box. I finally stumbled on this article:

    http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F

    It explains perfectly why my firewall can't resolve DNS, because the DNS query is originating at the firewall. So I added the default route suggested in the article, and lo and behold, my firewall can now ping into the home network. DNS now resolves correctly.

    Here's the problem: My Windows clients still work fine, but I have some Apple IOS devices, and they cannot reach into the home network at all. They get a "Network unreachable" message back from the firewall, and when I do a trace from the IOS devices, they hit the firewall, then get stuck in a routing loop as the packets just get continually routed back to the firewall and never traverse the IPSec tunnel. When I take the route out, again, my Windows clients can ping over the Tunnel, as can my IOS devices, but the firewall itself can't.

    I'm at a loss. Any ideas?


Log in to reply