2.2.1 and Supernetting, or alternatively All Traffic Through IPSEC Tunnel woes



  • I have a main office and several remote offices. A subset is below:

    Main 172.21.0.0/18
    R1    172.21.71.0/24
    R2    172.21.72.0/24

    I would like to have a single IPSEC tunnel between the main office and each remote office, using a “supernet” IP address, like this:

    Main 172.21.0.0/12 –- 172.21.71.0/24 R1

    Main 172.21.0.0/12 --- 172.21.72.0/24 R2

    This would enable communication between all sites without needing lots of P2 entries.

    When I did this in the past I thought that I saw SPD entries to deal with LAN traffic. What I mean by this is that extra SPD entries are created to ensure that traffic from the firewall for machines on the LAN is sent out of the LAN interface rather than being sent down the tunnel.

    With 2.2.1 I find that this setup no longer works. When I enable IPSEC on one of the remote firewalls I immediately lose contact with it. If I ping the firewall whilst I am running tcpdump on the console I can see that the ping requests are coming in on the LAN interface, but the replies are being sent down the enc0 tunnel.

    Running setkey -DP shows only two entries each with an “ipsec” policy, reflecting the tunnel setup. I would hope to see a couple of extra entries with “none” policies to deal with local traffic.

    Finally I previously had another system where I send all traffic from a remote office down the IPSEC tunnel by using a remote network of 0.0.0.0/0

    I can no longer get this to work either. I have the same problem of local traffic getting eaten by the tunnel.



  • This is a bug:

    https://redmine.pfsense.org/issues/4504

    I did look for such a bug, but could not find it.

    IPSEC seems pretty messed up in 2.2. Any idea when 2.2.2 will arrive?



  • That's been brought back for 2.2.2. Snapshots are available @ https://snapshots.pfsense.org. That'll be release soon, but is fine to try now if you need this right away.


Log in to reply