Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing rules IPv4?

    Scheduled Pinned Locked Moved 2.1 Snapshot Feedback and Problems - RETIRED
    10 Posts 4 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      ggzengel
      last edited by

      Normaly routing decisions are made on bit length of network mask.
      But how does it work in combination with ipsec?

      I have 2 local networks (em1+em2) 172.16.1.0/24 and 192.168.1.0/24.
      I have a ipsec peer with 2 ipsec tunnel from 172.16.1.0/24 to 192.168.0.0/16 and 192.168.1.0/24 to 192.168.0.0/16.

      From 172.16.1.1 I cann't reach 192.168.1.1. The packet go to ipsec tunnel.
      192.168.1.1 are reachable from outside over ipsec.

      If I wan't to reach 192.168.1.1 it's not enough to disable the ipsec tunnel, I have to delete the tunnel.

      I have a 2nd peer with ipsec tunnel 172.16.1.0/24 to 192.168.10.0/24.
      If I ping 192.168.10.1 the packet go to tunnel 192.168.0.0/16.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        IPsec will grab whatever packets match the SPD (Phase 2) entries.

        There isn't a way in the GUI to setup any kind of bypass.

        If you don't want those to conflict, you'll need to narrow that subnet on the Phase 2 from /16 to something smaller.

        Deleting that /16 tunnel and adding it back at the bottom may allow the 192.168.10.x tunnel to work, but only by luck.

        It's best to keep all of the networks from overlapping at all.

        Also you can remove active SPD entries from Status > IPsec on the SPD tab. Sometimes when disabling a tunnel those are left in.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • G
          ggzengel
          last edited by

          That means I have 16 times more routing rules for replacing 10.0.0.0/8 if i have 10.0.1.0/24 as local network?
          10.128.0.0/9
          10.64.0.0/10
          10.32.0.0/11
          10.16.0.0/12
          10.8.0.0/13
          10.4.0.0/14
          10.2.0.0/15
          10.1.0.0/16
          10.0.128.0/17
          10.0.64.0/18
          10.0.32.0/19
          10.0.16.0/20
          10.0.8.0/21
          10.0.4.0/22
          10.0.2.0/23
          10.0.0.0/24

          I have a lot of these constructs at my customers.
          With bintec router i had not such problems because they use virtual interfaces on ipsec and use the global routing table.

          How complicate will be the hub router if you have 20 branch offices? What do you want to do if you add one more branch office?

          Is it possible to implement longest prefix match?

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            @ggzengel:

            That means I have 16 times more routing rules for replacing 10.0.0.0/8 if i have 10.0.1.0/24 as local network?

            Not necessarily, but if that causes local traffic to match the SPD, yes. That's how IPsec on the vast majority of commercial firewalls functions too. There are no other options in the underlying software at this time.

            1 Reply Last reply Reply Quote 0
            • G
              ggzengel
              last edited by

              That means openvpn is the better solution because it uses the global routing table and longest prefix match.

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by

                Yep, OpenVPN is definitely a better solution in such cases. Or IPsec transport mode + GRE or gif.

                1 Reply Last reply Reply Quote 0
                • D
                  dhatz
                  last edited by

                  @ggzengel:

                  I have a lot of these constructs at my customers.
                  With bintec router i had not such problems because they use virtual interfaces on ipsec and use the global routing table.

                  FreeBSD doesn't support interface-based IPsec as some router vendors (e.g. Cisco, Juniper) do, only flow-based. And Linux only added this feature a few months ago.

                  Edit: Check this post http://forum.pfsense.org/index.php?topic=50589.0

                  1 Reply Last reply Reply Quote 0
                  • G
                    ggzengel
                    last edited by

                    @dhatz:

                    FreeBSD doesn't support interface-based IPsec as some router vendors (e.g. Cisco, Juniper) do, only flow-based. And Linux only added this feature a few months ago.

                    Are there some other solutions?

                    1. SA sorted by Prefix length befor making a routing decision. So I can have a tunnel to 10.0.0.0/8 and 10.0.1.0/24.
                    2. A table with subnets which won't go to IPSec.

                    1 Reply Last reply Reply Quote 0
                    • D
                      dhatz
                      last edited by

                      @ggzengel:

                      @dhatz:

                      FreeBSD doesn't support interface-based IPsec as some router vendors (e.g. Cisco, Juniper) do, only flow-based. And Linux only added this feature a few months ago.

                      Are there some other solutions?

                      As cmb noted above, you can use "IPsec transport mode + GRE or gif"

                      You have a hub-and-spoke topology ?

                      1 Reply Last reply Reply Quote 0
                      • G
                        ggzengel
                        last edited by

                        We have a very difficult topology.

                        We have 3 routers in different places where each have a VPN to our customers.

                        Our customers have more or less branch offices, home offices, external service partners and local partner networks.
                        Not every router knows the whole topology and will route unknown subnets in direction of the hub router.
                        Its like routing in a tree. If we have to optimize it we will make short paths.

                        In this situation there should be something like a big transfer network and every router should use ospf.
                        If a roadwarrior is added he will get a IP from this transfer network and get all routing information automatically.
                        At least this must be possible with multi wan at different bandwith, qos, load balancing and fall back.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.