Policy based routing of network traffic comming in via IPsec

  • Hi All,

    I am experiencing some issues with my IPsec VPN and policy based routing. Maybe you can help me?

    I am running a road warrior IPsec VPN configuration on pfsense to protect my smartphone traffic when I am connected to a public hotspot. Any traffic coming in from the smartphone should be routed to a second VPN Gateway hosted on my LAN.

    My goal is to route all traffic from the VPN to my second VPN Gateway. Therefore, I have created a Gateway (System > Routing > Gateways) and added a firewall rule for the IPsec interface (Firewall > Rules > IPsec) which specifies my second VPN router as Gateway.

    These are the details:

    Gateway definition:
    Interface: LAN
    Address Family: IPv4
    Name: Second VPN Gateway
    Gateway: <ip address="" of="" second="" vpn="" gateway="">Default GW: false
    Disable GW monitoring: true

    Rule definition:
    Action: pass
    Disabled: false
    Interface: IPsec
    TCP/IP Version: IPv4
    Protocol: any
    Source: any
    Destination: not LAN subnet
    Log: true
    Gateway: Second VPN Gateway

    However, when I want to access a system which is not on my LAN the packet is routed via the default gateway and not the gateway specified in the rule (verified using tcpdump on pfsense and my second VPN gateway). This is however contrary to the log event created by pfsense which indicates that the packet was sent to the second VPN Gateway.

    @70 pass in log quick on enc0 route-to (vr0 <ip 24="" address="" of="" second="" vpn="" gateway)="" inet="" from="" any="" to="" !="" 192.168.x.0="" flags="" s="" sa="" keep="" state="" label="" "user_rule:="" ipv4"<br="">My pfsense firewall is connected to the internet (vr2) and LAN (vr0).

    Thank you for your help.

    BTW: I am running 2.1-RELEASE (i386) built on Wed Sep 11 18:16:44 EDT 2013
    FreeBSD host.localdomain 8.3-RELEASE-p11 FreeBSD 8.3-RELEASE-p11 #0: Wed Sep 11 19:13:36 EDT 2013 root@snapshots-8_3-i386.builders.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_wrap.8.i386 i386 on an ALIX board.



  • Sorry for pushing :p