Firewall rule with gateway - policy based routing



  • i have four interfaces wan, lan, mpls and backup

    the mpls interface and the backup are in a gateway group

    i route successfuly trafic from lan over the gateway group to the destination.

    now i want route a network behind a ipsec tunnel route over the gateway group

    i make a rule on the ipsec interface without effort, all traffic will be routed to the wan.

    i capture the traffic !!!!

    how can i route traffic from ipsec tunnels over the gateway group ???

    regards
    Alexander



  • You can't.
    IPSEC is handled differently before the routing table/specific gateways are processed.
    If you want to be able to route over a VPN, use OpenVPN.



  • why you don't fix the problem in the pfsense ?
    other devices like a cisco route can route over a ipsec,
    not realy but the routing table will be used.

    that meanse you route the traffic based on the routing table and only the encryption will be effort bei ipsec policy.
    thats the main reason why ipsec is used, to define encryption policys for trafic between two hosts oder networks.



  • I think that problem lies os beneath pfsense and not pfsense limitation itself.
    If i'm correct ipsec is in kernel of bsd and openvpn is addon software, which can be handled differently.


  • Rebel Alliance Developer Netgate

    Correct, IPsec will grab all traffic matching its SPD entries (Phase 2) so doing policy routing involving IPsec is not possible.

    It works fine with OpenVPN though.



  • @Terrabit_AH:

    why you don't fix the problem in the pfsense ?
    other devices like a cisco route can route over a ipsec,
    not realy but the routing table will be used.

    that meanse you route the traffic based on the routing table and only the encryption will be effort bei ipsec policy.
    thats the main reason why ipsec is used, to define encryption policys for trafic between two hosts oder networks.

    Not doable at the moment, due to how FreeBSD (the underlying OS FreeBSD is based on) handles IPsec traffic.

    Read http://forum.pfsense.org/index.php/topic,50589.0.html


Locked