Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Another IPsec Routing Question - SOLVED

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      LinuxTracker
      last edited by

      Never Mind

      I was pushing out a group policy that was telling the Remote users to use the Wrong Proxy Server.
      It made web traffic traverse the VPN instead of exit the local gateway.

      Of course I couldn't remember that until I posted.

      Writing new GPs now and that should solve it.

      Thanks for looking.

      2nd Update: A Microsoft FYI - What I finally did.

      I have one Domain Controller for two locations.  The correct proxy server needed to be assigned, depending on the location the user logged in.
      I'm already pushing WPAD via DHCP and DNS but my experience is that WPAD can miss some computers.

      I added group policies that use Item Level Targeting (Server 2k8) based on the IP address the user logs in from.
      MS doesn't have a Proxy option w/ ILT so I created registry entries instead.

      I'm including mine because GP reg entries can be a pain to find

      Hive HKEY_CURRENT_USER 
      Key path Software\Microsoft\Windows\CurrentVersion\Internet Settings 
      Value name ProxyEnable 
      Value type REG_DWORD 
      Value data 0x1 (1) 
      
      Hive HKEY_CURRENT_USER 
      Key path Software\Microsoft\Windows\CurrentVersion\Internet Settings 
      Value name ProxyOverride 
      Value type REG_SZ 
      Value data 192.168.1.25;192.168.1.50; <local>Hive HKEY_CURRENT_USER 
      Key path Software\Microsoft\Windows\CurrentVersion\Internet Settings 
      Value name ProxyServer 
      Value type REG_SZ 
      Value data 192.168.1.1:3128</local> 
      

      Last word - really:
      An important lesson for WPAD is Patience.

      I set everything up yesterday and my test machines would pull the GP and WPAD info but wouldn't assign a proxy - even after rebooting.
      And today they are.

      For whatever reason I often have to leave WPAD in place for a day or so before it fully takes effect.
      No amount of reboots, clearing DNS caches, deleting leases in DHCP server, etc will hurry it along when it's stubborn.

      Thanks Bye

      Original Post begins here

      I think I have a routing issue with my IPsec VPN. Web Traffic is traversing the VPN that should exit the local gateway.

      The VPN is setup between two pfSense boxes.
      Location Names are Main and Remote (R has 5 PCs).

      What I want for both:
      Domain/LAN traffic to traverse the VPN   (is working great now - both ways)
      All other traffic to exit their local gateways   (problem at Remote)

      Problem:
      70% of HTTP/HTTPS traffic - originating from Remote - traverses the VPN and out the Main gateway.
      (I guess my setup has confused pfSense @Remote; but I can't see where.)

      There's no pattern.  
      All 5 Remote PCs send some HTTP/HTTPS through the local gateway while sending other HTTP/HTTPS through the VPN.
      Traffic to any particular destination could be routed through the local gateway - but then routed through the VPN a moment later.

      Specs:
      Both run 2.0.1-RELEASE (i386)

      Main is on FiOS w/ a 192.168**.1**.0/24 local subnet
      Remote is on cable w/ a 192.168**.4**.0/24 local subnet
      Local Gateways are 192.168.x.1 for both.

      (Both Local Gateways are on same pfSense box as the IPsec endpoints)

      Remote Routing Table

      IPsec rules

      1. Block TCP/UDP ports 67/68 (both ways)
      2. Allow All (both ways)

      Phase 2 @Main:
      Mode = Tunnel
      Local Network = Lan Subnet
      Remote Network = 192.168.4.0/24

      Phase 2 @Remote:
      Mode = Tunnel
      Local Network = Lan Subnet
      Remote Network = 192.168.1.0/24

      A Win2k8 domain controller is at Main and it's the DC for both locations (@ 192.168.1.6).
      DNS for PCs at Main and Remote is the DC (192.168.1.6).

      Main DHCP is DC.
      Remote DHCP is pfSense

      What I can't figure out:
      How to properly write a routing entry(s) to control traffic.

      Can someone point me in the right direction?

      Thank you.

      1 Reply Last reply Reply Quote 0
      • D
        dhatz
        last edited by

        What I can't figure out:
        How to properly write a routing entry(s) to control traffic.

        Can someone point me in the right direction?

        On FreeBSD IPsec traffic doesn't use the system routing table.

        1 Reply Last reply Reply Quote 0
        • L
          LinuxTracker
          last edited by

          @dhatz:

          What I can't figure out:
          How to properly write a routing entry(s) to control traffic.

          Can someone point me in the right direction?

          On FreeBSD IPsec traffic doesn't use the system routing table.

          I didn't know that. Thank you for cluing me in.

          What's the preferred method for directing traffic?

          1 Reply Last reply Reply Quote 0
          • D
            dhatz
            last edited by

            Depends on one's needs and what the capabilities of the routers at each end are …

            One popular option is GRE over IPsec e.g.
            http://www.packtpub.com/article/network-configuration-tunneling-with-free-bsd

            PS: I'm not sure it's needed to go that route, if you have a relatively "simple" VPN topology.

            1 Reply Last reply Reply Quote 0
            • L
              LinuxTracker
              last edited by

              @dhatz:

              I'm not sure it's needed to go that route, if you have a relatively "simple" VPN topology.

              In my case my wonky proxy settings were misdirecting traffic.  Otherwise my IPsec tunnels just work (though individual computers sometimes need new static routes).

              I like the info in your link. 
              The GRE network would give me Tunnel IPs that I could use for a static route gateway.  OpenVPN gives me that too but not IPsec tunnels.

              Appreciated.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.