PF 2.0.3 routing over IPSEC tunnel

  • Hey guys… I have a successfully established tunnel from a PFsense VM  to a remote service that has several live/routeable IP addresses for their service.

    At my end I have a server behind the pfsense vm that uses pfsense as a gateway in your everyday traditional firewall/nat situation. There is one other tunnel to another site with a sonicwall , natting as well which works properly.

    My pfsense Phase1 goes to remote routable IP (fake of course), and PH2 shows:
    Mode Tunnel, local subnet again, but WAN IP of MY pfsense), Remote subnet

    When I try to tracert from a windows box the route goes to the pfsense, then out to my external WAN gateway then out over the internet as if it were going to anywhere else.

    I used the command:
    tcpdump -i em0 -n esp
    to sniff esp packets on my pfsense, and I only see traffic going back and forth from the site to site vpn, nothing going out over the 'service' tunnel.

    This really seems like a routing issue and strangely enough it apparently worked previous to this although I didn't witness it. (this is a new implementation at this location). As I understand it, the pfsense is supposed to have 'hidden' routes for it's IPsec tunnel's remote networks, which is the case for the site to site, but not for the 'service'.

    PS, the sonicwall tunnel for this service that DOES work uses the same config; local network is X1 IP aka WAN External IP.. The only other 'funny' option is 'Apply Nat Policies' is enabled and 'translacted local network' is set to X1, Translated Remote network is set to Original. (see doc:

    Any ideas?

  • here's my tunnel

  • Alright it appears as if this option is available on the ph2 in 2.1 so i'm updating to rc1 and testing it….....

  • Whoooooo

    worked. OK so for posterity's (and googles) sake, the solution was evident in PFsense 2.1 (RC0+), in the PH2 properties of the IPsec tunnel under local network you can provide the LAN subnet, and the 'nat/binat' address being the external WANip.

    My only conclusion is that since the ipsec routes are kernel routes they don't get applied with outbound nat rules (which is what I was trying).

Log in to reply