Another IPsec Routing Question - SOLVED

LinuxTracker

Never Mind

I was pushing out a group policy that was telling the Remote users to use the Wrong Proxy Server.
It made web traffic traverse the VPN instead of exit the local gateway.

Of course I couldn't remember that until I posted.

Writing new GPs now and that should solve it.

Thanks for looking.

2nd Update: A Microsoft FYI - What I finally did.

I have one Domain Controller for two locations.  The correct proxy server needed to be assigned, depending on the location the user logged in.
I'm already pushing WPAD via DHCP and DNS but my experience is that WPAD can miss some computers.

I added group policies that use Item Level Targeting (Server 2k8) based on the IP address the user logs in from.
MS doesn't have a Proxy option w/ ILT so I created registry entries instead.

I'm including mine because GP reg entries can be a pain to find

Hive HKEY_CURRENT_USER 
Key path Software\Microsoft\Windows\CurrentVersion\Internet Settings 
Value name ProxyEnable 
Value type REG_DWORD 
Value data 0x1 (1) 

Hive HKEY_CURRENT_USER 
Key path Software\Microsoft\Windows\CurrentVersion\Internet Settings 
Value name ProxyOverride 
Value type REG_SZ 
Value data 192.168.1.25;192.168.1.50; <local>Hive HKEY_CURRENT_USER 
Key path Software\Microsoft\Windows\CurrentVersion\Internet Settings 
Value name ProxyServer 
Value type REG_SZ 
Value data 192.168.1.1:3128</local> 

Last word - really:
An important lesson for WPAD is Patience.

I set everything up yesterday and my test machines would pull the GP and WPAD info but wouldn't assign a proxy - even after rebooting.
And today they are.

For whatever reason I often have to leave WPAD in place for a day or so before it fully takes effect.
No amount of reboots, clearing DNS caches, deleting leases in DHCP server, etc will hurry it along when it's stubborn.

Thanks Bye

Original Post begins here

I think I have a routing issue with my IPsec VPN. Web Traffic is traversing the VPN that should exit the local gateway.

The VPN is setup between two pfSense boxes.
Location Names are Main and Remote (R has 5 PCs).

What I want for both:
Domain/LAN traffic to traverse the VPN   (is working great now - both ways)
All other traffic to exit their local gateways   (problem at Remote)

Problem:
70% of HTTP/HTTPS traffic - originating from Remote - traverses the VPN and out the Main gateway.
(I guess my setup has confused pfSense @Remote; but I can't see where.)

There's no pattern.  
All 5 Remote PCs send some HTTP/HTTPS through the local gateway while sending other HTTP/HTTPS through the VPN.
Traffic to any particular destination could be routed through the local gateway - but then routed through the VPN a moment later.

Specs:
Both run 2.0.1-RELEASE (i386)

Main is on FiOS w/ a 192.168**.1**.0/24 local subnet
Remote is on cable w/ a 192.168**.4**.0/24 local subnet
Local Gateways are 192.168.x.1 for both.

(Both Local Gateways are on same pfSense box as the IPsec endpoints)

Remote Routing Table

IPsec rules

1. Block TCP/UDP ports 67/68 (both ways)
2. Allow All (both ways)

Phase 2 @Main:
Mode = Tunnel
Local Network = Lan Subnet
Remote Network = 192.168.4.0/24

Phase 2 @Remote:
Mode = Tunnel
Local Network = Lan Subnet
Remote Network = 192.168.1.0/24

A Win2k8 domain controller is at Main and it's the DC for both locations (@ 192.168.1.6).
DNS for PCs at Main and Remote is the DC (192.168.1.6).

Main DHCP is DC.
Remote DHCP is pfSense

What I can't figure out:
How to properly write a routing entry(s) to control traffic.

Can someone point me in the right direction?

Thank you.

dhatz

What I can't figure out:
How to properly write a routing entry(s) to control traffic.

Can someone point me in the right direction?

On FreeBSD IPsec traffic doesn't use the system routing table.

LinuxTracker

@dhatz:

What I can't figure out:
How to properly write a routing entry(s) to control traffic.

Can someone point me in the right direction?

On FreeBSD IPsec traffic doesn't use the system routing table.

I didn't know that. Thank you for cluing me in.

What's the preferred method for directing traffic?

dhatz

Depends on one's needs and what the capabilities of the routers at each end are …

One popular option is GRE over IPsec e.g.
http://www.packtpub.com/article/network-configuration-tunneling-with-free-bsd

PS: I'm not sure it's needed to go that route, if you have a relatively "simple" VPN topology.

LinuxTracker

@dhatz:

I'm not sure it's needed to go that route, if you have a relatively "simple" VPN topology.

In my case my wonky proxy settings were misdirecting traffic.  Otherwise my IPsec tunnels just work (though individual computers sometimes need new static routes).

I like the info in your link. 
The GRE network would give me Tunnel IPs that I could use for a static route gateway.  OpenVPN gives me that too but not IPsec tunnels.

Appreciated.