Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.2.1 and Supernetting, or alternatively All Traffic Through IPSEC Tunnel woes

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      neik
      last edited by

      I have a main office and several remote offices. A subset is below:

      Main 172.21.0.0/18
      R1    172.21.71.0/24
      R2    172.21.72.0/24

      I would like to have a single IPSEC tunnel between the main office and each remote office, using a “supernet” IP address, like this:

      Main 172.21.0.0/12 –- 172.21.71.0/24 R1

      Main 172.21.0.0/12 --- 172.21.72.0/24 R2

      This would enable communication between all sites without needing lots of P2 entries.

      When I did this in the past I thought that I saw SPD entries to deal with LAN traffic. What I mean by this is that extra SPD entries are created to ensure that traffic from the firewall for machines on the LAN is sent out of the LAN interface rather than being sent down the tunnel.

      With 2.2.1 I find that this setup no longer works. When I enable IPSEC on one of the remote firewalls I immediately lose contact with it. If I ping the firewall whilst I am running tcpdump on the console I can see that the ping requests are coming in on the LAN interface, but the replies are being sent down the enc0 tunnel.

      Running setkey -DP shows only two entries each with an “ipsec” policy, reflecting the tunnel setup. I would hope to see a couple of extra entries with “none” policies to deal with local traffic.

      Finally I previously had another system where I send all traffic from a remote office down the IPSEC tunnel by using a remote network of 0.0.0.0/0

      I can no longer get this to work either. I have the same problem of local traffic getting eaten by the tunnel.

      1 Reply Last reply Reply Quote 0
      • N
        neik
        last edited by

        This is a bug:

        https://redmine.pfsense.org/issues/4504

        I did look for such a bug, but could not find it.

        IPSEC seems pretty messed up in 2.2. Any idea when 2.2.2 will arrive?

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          That's been brought back for 2.2.2. Snapshots are available @ https://snapshots.pfsense.org. That'll be release soon, but is fine to try now if you need this right away.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.