Routing rules IPv4?



  • Normaly routing decisions are made on bit length of network mask.
    But how does it work in combination with ipsec?

    I have 2 local networks (em1+em2) 172.16.1.0/24 and 192.168.1.0/24.
    I have a ipsec peer with 2 ipsec tunnel from 172.16.1.0/24 to 192.168.0.0/16 and 192.168.1.0/24 to 192.168.0.0/16.

    From 172.16.1.1 I cann't reach 192.168.1.1. The packet go to ipsec tunnel.
    192.168.1.1 are reachable from outside over ipsec.

    If I wan't to reach 192.168.1.1 it's not enough to disable the ipsec tunnel, I have to delete the tunnel.

    I have a 2nd peer with ipsec tunnel 172.16.1.0/24 to 192.168.10.0/24.
    If I ping 192.168.10.1 the packet go to tunnel 192.168.0.0/16.


  • Rebel Alliance Developer Netgate

    IPsec will grab whatever packets match the SPD (Phase 2) entries.

    There isn't a way in the GUI to setup any kind of bypass.

    If you don't want those to conflict, you'll need to narrow that subnet on the Phase 2 from /16 to something smaller.

    Deleting that /16 tunnel and adding it back at the bottom may allow the 192.168.10.x tunnel to work, but only by luck.

    It's best to keep all of the networks from overlapping at all.

    Also you can remove active SPD entries from Status > IPsec on the SPD tab. Sometimes when disabling a tunnel those are left in.



  • That means I have 16 times more routing rules for replacing 10.0.0.0/8 if i have 10.0.1.0/24 as local network?
    10.128.0.0/9
    10.64.0.0/10
    10.32.0.0/11
    10.16.0.0/12
    10.8.0.0/13
    10.4.0.0/14
    10.2.0.0/15
    10.1.0.0/16
    10.0.128.0/17
    10.0.64.0/18
    10.0.32.0/19
    10.0.16.0/20
    10.0.8.0/21
    10.0.4.0/22
    10.0.2.0/23
    10.0.0.0/24

    I have a lot of these constructs at my customers.
    With bintec router i had not such problems because they use virtual interfaces on ipsec and use the global routing table.

    How complicate will be the hub router if you have 20 branch offices? What do you want to do if you add one more branch office?

    Is it possible to implement longest prefix match?



  • @ggzengel:

    That means I have 16 times more routing rules for replacing 10.0.0.0/8 if i have 10.0.1.0/24 as local network?

    Not necessarily, but if that causes local traffic to match the SPD, yes. That's how IPsec on the vast majority of commercial firewalls functions too. There are no other options in the underlying software at this time.



  • That means openvpn is the better solution because it uses the global routing table and longest prefix match.



  • Yep, OpenVPN is definitely a better solution in such cases. Or IPsec transport mode + GRE or gif.



  • @ggzengel:

    I have a lot of these constructs at my customers.
    With bintec router i had not such problems because they use virtual interfaces on ipsec and use the global routing table.

    FreeBSD doesn't support interface-based IPsec as some router vendors (e.g. Cisco, Juniper) do, only flow-based. And Linux only added this feature a few months ago.

    Edit: Check this post http://forum.pfsense.org/index.php?topic=50589.0



  • @dhatz:

    FreeBSD doesn't support interface-based IPsec as some router vendors (e.g. Cisco, Juniper) do, only flow-based. And Linux only added this feature a few months ago.

    Are there some other solutions?

    1. SA sorted by Prefix length befor making a routing decision. So I can have a tunnel to 10.0.0.0/8 and 10.0.1.0/24.
    2. A table with subnets which won't go to IPSec.



  • @ggzengel:

    @dhatz:

    FreeBSD doesn't support interface-based IPsec as some router vendors (e.g. Cisco, Juniper) do, only flow-based. And Linux only added this feature a few months ago.

    Are there some other solutions?

    As cmb noted above, you can use "IPsec transport mode + GRE or gif"

    You have a hub-and-spoke topology ?



  • We have a very difficult topology.

    We have 3 routers in different places where each have a VPN to our customers.

    Our customers have more or less branch offices, home offices, external service partners and local partner networks.
    Not every router knows the whole topology and will route unknown subnets in direction of the hub router.
    Its like routing in a tree. If we have to optimize it we will make short paths.

    In this situation there should be something like a big transfer network and every router should use ospf.
    If a roadwarrior is added he will get a IP from this transfer network and get all routing information automatically.
    At least this must be possible with multi wan at different bandwith, qos, load balancing and fall back.


Locked