Only route certain dst IP address via IPSec



  • Hi There,

    Using 2.0.3 running in vmware and IPSec to a Fortigate unit in our Data Center. We used to have a local Fortigate unit here, but it was getting old and not holding up to the traffic demands.

    My question is: On the old fortigate we used to have the IPsec VPN, then route traffic only certain dst IP address via the VPN. For example: VPN is from our office lan (192.168.1.0) to our DC lan (203.xxx.xxx.x), only traffic to 203.xxx.xxx.10 would be routed via the VPN, all the rest would be via standard WAN link. We did this by adding static routes in the local Fortigate to the IPs we wanted via the VPN.

    Is this possible in pfsence?

    ![Screen Shot 2013-08-02 at 12.15.31 PM.png](/public/imported_attachments/1/Screen Shot 2013-08-02 at 12.15.31 PM.png)
    ![Screen Shot 2013-08-02 at 12.15.31 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2013-08-02 at 12.15.31 PM.png_thumb)
    ![Screen Shot 2013-08-02 at 12.15.35 PM.png](/public/imported_attachments/1/Screen Shot 2013-08-02 at 12.15.35 PM.png)
    ![Screen Shot 2013-08-02 at 12.15.35 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2013-08-02 at 12.15.35 PM.png_thumb)



  • Hi there, no ideas here?  ;)



  • Is it possible?  Of course it is.  Once the tunnel is established, you can route whatever traffic you want over it.



  • @marvosa:

    Is it possible?  Of course it is.  Once the tunnel is established, you can route whatever traffic you want over it.

    thanks for the reply, but it does not really answer my question. At the moment the whole dst range is routed over the VPN (by default?), what i need todo is to route only specific dst IPs (our of the range) over the VPN. I cannot see a way todo this in pfsence (unless im missing something?)



  • greminn,
    You'll have to forgive me, but I beg to differ.  The only question asked from your original post was:

    Is this possible in pfsence?

    Which I did answer :)

    So, for the 2nd question… how do you do it?  Unfortunately, I do not have specifics... maybe the devs or hero members can chime in... but it may involve assigning the tunnel to an interface, giving it a gateway, and configuring host/network routes from there.



  • @marvosa:

    greminn,
    You'll have to forgive me, but I beg to differ.  The only question asked from your original post was:

    Is this possible in pfsence?

    Which I did answer :)

    I admit defeat on this!  ;D

    @marvosa:

    So, for the 2nd question… how do you do it?  Unfortunately, I do not have specifics... maybe the devs or hero members can can chime in... but it may involve assigning the tunnel to an interface, giving it a gateway, and configuring host/network routes from there.

    Thanks for this, can any one else confirm an approach here?


  • Banned

    Well, IP you want to route only certain IPs through IPsec, then don't set Phase2 to the whole subnet, but set up multiple phase2 entries for single IPs you want routed through IPsec.



  • @doktornotor:

    Well, IP you want to route only certain IPs through IPsec, then don't set Phase2 to the whole subnet, but set up multiple phase2 entries for single IPs you want routed through IPsec.

    OK thanks for this! I see.. I gave this a go, but had issues - do i need to change anything at the Fortigate end? Is side one the local end or the remote end?

    Aug 8 08:32:41  racoon: [New Media DC VPN]: [103.2.xxx.xxx] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).

    Full log…

    http://pastebin.com/D2ziMtXE


  • Banned

    @greminn:

    OK thanks for this! I see.. I gave this a go, but had issues - do i need to change anything at the Fortigate end? Is side one the local end or the remote end?

    Changes are requires to be done on both ends of the tunnel, of course.



  • @doktornotor:

    @greminn:

    OK thanks for this! I see.. I gave this a go, but had issues - do i need to change anything at the Fortigate end? Is side one the local end or the remote end?

    Changes are requires to be done on both ends of the tunnel, of course.

    OK so i changed both ends Phase 2's to only have a single IP address in the remote range… when trying to bring up the VPN i get these errors in the logs:

    Aug 8 08:48:36 racoon: [New Media DC VPN]: INFO: IPsec-SA established: ESP 203.167.xxx.x[500]->103.2.xxx.xxx[500] spi=3405420369(0xcafa9751)
    Aug 8 08:48:36 racoon: [New Media DC VPN]: INFO: IPsec-SA established: ESP 203.167.xxx.x[500]->103.2.xxx.xxx[500] spi=50113689(0x2fcac99)
    Aug 8 08:48:36 racoon: [New Media DC VPN]: INFO: initiate new phase 2 negotiation: 203.167.xxx.x[500]<=>103.2.xxx.xxx[500]
    Aug 8 08:48:24 racoon: INFO: unsupported PF_KEY message REGISTER
    Aug 8 08:48:24 racoon: INFO: unsupported PF_KEY message REGISTER
    Aug 8 08:48:24 racoon: INFO: unsupported PF_KEY message REGISTER
    Aug 8 08:48:18 racoon: ERROR: failed to get sainfo.
    Aug 8 08:48:16 racoon: ERROR: failed to get sainfo.
    Aug 8 08:48:12 racoon: ERROR: failed to get sainfo.
    Aug 8 08:47:57 racoon: ERROR: failed to get sainfo.
    Aug 8 08:47:35 racoon: ERROR: failed to get sainfo.
    Aug 8 08:47:13 racoon: ERROR: failed to get sainfo.
    Aug 8 08:47:06 racoon: ERROR: failed to get sainfo.
    Aug 8 08:46:58 racoon: ERROR: failed to get sainfo.
    Aug 8 08:46:54 racoon: ERROR: failed to get sainfo.
    Aug 8 08:46:50 racoon: ERROR: failed to get sainfo.
    Aug 8 08:46:50 racoon: INFO: unsupported PF_KEY message REGISTER
    Aug 8 08:46:50 racoon: ERROR: no iph2 found: ESP 103.2.xxx.xxx[500]->203.167.xxx.x[500] spi=225044466(0xd69e7f2)
    Aug 8 08:46:50 racoon: INFO: unsupported PF_KEY message REGISTER
    Aug 8 08:46:28 racoon: ERROR: failed to get sainfo.
    Aug 8 08:46:28 racoon: INFO: unsupported PF_KEY message REGISTER
    Aug 8 08:46:28 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 182.236.xxx.xx/32[0] proto=any dir=out
    Aug 8 08:46:28 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 182.236.127.0/24[0] proto=any dir=out
    Aug 8 08:46:28 racoon: ERROR: such policy already exists. anyway replace it: 182.236.xxx.xx/32[0] 192.168.1.0/24[0] proto=any dir=in
    Aug 8 08:46:28 racoon: ERROR: such policy already exists. anyway replace it: 182.236.xxx.x/24[0] 192.168.1.0/24[0] proto=any dir=in
    Aug 8 08:46:28 racoon: INFO: unsupported PF_KEY message REGISTER
    Aug 8 08:46:27 racoon: ERROR: no iph2 found: ESP 103.2.xxx.xxx[500]->203.167.xxx.x[500] spi=139426204(0x84f799c)
    Aug 8 08:46:27 racoon: INFO: unsupported PF_KEY message REGISTER
    Aug 8 08:46:24 racoon: INFO: purged IPsec-SA proto_id=ESP spi=3405420368.


Log in to reply