Ipsec and gateways
-
I'm Setting up ipsec on one of your firewalls. I have ipsec running fine with stable results on other firewalls.
What is special with this setup is that I have 2 gateways on the WAN interface. This is actually only to access the test environment, when in production I will only have 1 gateway.
The problem arises that every time some ipsec configuration is done or ipsec restartet then pfsense adds a static host route to the default gw for the connection.
I however dont want to use the default gw but the other gateway as stated in my routing table.
Deleting the auto added static route to the default gateway replacing it with a host route works sometimes and sometimes not !i.e.
normal routing table before ipsec started. (ip ar changed)default 100.101.102.217 UGS 0 120402057621 ix3
200.201.202.176/29 100.101.102.220 UGS 0 165912 ix3
200.201.202.178/32 100.101.102.220 UGS 0 1773 ix3after starting ipsec a host route is added automaticly to the default gw
default 100.101.102.217 UGS 0 120402057621 ix3
200.201.202.176/29 100.101.102.220 UGS 0 165912 ix3
200.201.202.178 100.101.102.217 UGHS 0 11 ix3 =>
200.201.202.178/32 100.101.102.220 UGS 0 1773 ix3after deleting the auto added route the tunnel sometimes works and somtetime does not
default 100.101.102.217 UGS 0 120402057621 ix3
200.201.202.176/29 100.101.102.220 UGS 0 165912 ix3
200.201.202.178/32 100.101.102.220 UGS 0 1773 ix3cheers / Thor
-
Right so I figured out why it was sometimes working and sometimes not.
When I do confguration changes to ipsec - pfsense removes my static host route and replaces it with own.
i.e after I do configuration changes to ipsec i have to:
make a new static route
delete the static route pfsense automatically added.In case of just restarting ipsec pfsense does not delete my static route
i.e after restarting racoon i just need to purge the route pfsense added during the racoon restart.Ok workaround for my test setup, but it would be preferable if possible to define a gateway e.g. in the phase1 configuration.
Cheers / Thor