• Hello all,

    I'm strugging to get IPSEC to work over OPT1/WAN2.  I've got all of my subnets configured to use the default GW (*) from the LAN Net and this works when the tunnel interface is set to WAN, but if I change the interface in the IPSEC policy, it won't work.  I get the SPD but no SAD associations.

    My WAN interfaces are both set to static as I have small routers sitting in front of them. (Handling the PPPoE on WAN and DHCP on OPT1/WAN2 then providing static networks behind and connecting via DMZ to the pfSense 1.2Release)

    Assuming my firewall rules are good ( *  LAN net  *  204.xxx.xxx.xxx/24  *  * … etc) should I have to do anything beyond toggle IPSEC off then change the IPSEC associated interface? (under the IPSEC edit tunnel screen)

    Mesa confused!

    -- Phob

  • Hello,

    I actually did search before asking the question - I didn't really follow the solution as according to my IPSEC log the connection (tunnel) isn't coming up.  I didn't really think it was a routing issue for my outbound packets.

    Maybe I mis-understood?  If so, could you clarify?


    – Phob

  • Ahh - I think I found what you were trying to lead me to, though it might have been quicker to just tell me that I need to have a static route to the remote IPSEC gateway using WAN2's gateway…

    Anyway, thanks for the carrot - I was only searching within the IPSEC forum, and not the whole site so I missed the post in the other forum with this info.

    Again (in case somebody else searches for this (in this forum)) - in order to get IPSEC to work over OPT1 / WAN2 you need to create a new static route to the remote site's gateway address (the remote IPSEC tunnel end-point) using the gateway for your local OPT1 / WAN2.

    -- Phob

  • Do you apply the static route to your WAN interface or WAN2 interface?

    So it would be like this

    Interface              Network                          Gateway                   
    WAN2        Remote End IPSEC WAN IP/32      WAN2 Gateway IP


    Interface              Network                          Gateway                   
    WAN        Remote End IPSEC WAN IP/32      WAN2 Gateway IP

  • This was completely wrong… (deleted)

  • Actually, my IpSec tunnels on WAN2 are working with a route like this:

    Interface              Network                          Gateway                   
    WAN2        Remote End IPSEC WAN IP/32      WAN2 Gateway IP

    The LAN one doesn't make sense to me, as the problem is the box trying to establish the tunnel from the WAN, not OPT1/WAN2. The remote LAN should not be a factor until after the tunnel is established.

  • Yeah - but that doesn't help you to route packets over your IPSEC tunnel via the WAN2 interface from LAN.  That is what this static route is for.

    – Phob

  • Don't use gateways for IPSEC-Traffic. This will redirect the traffic directly to the upstream gateway and won't send it into the tunnel. Use gateway default for these rules.

  • This was the only way I could get anything to work over my IPSEC tunnel on WAN2 - is there another way?

  • … or is the route needed for WAN2 and not LAN?  I'm not at the location with this setup right now - I will be later tonight and I'll take a look.

    -- Phob

  • Sorry, but that doesn't make any sense. That definately won't work this way. It's simply wrong.

    You need the static route at the wan2 interface for the remote endpoint/32 through ewan2 gateway. Besides that all firewallrules have to use the default gateway so traffic can make it into the tunnel.

  • @hoba: Something that always confused me a bit about the static routes:

    Is the "Interface" (first thingy in the static route)
    the interface on which traffic goes out,
    or the interface to which the route applies to on incomming traffic?

  • it's the interface that the gateway for the remote subnet is located behind.

  • Right - OK.  So the static route is :

    WAN2  (Remote IPSEC Gateway/Public IP)  WAN2 GW


    I was just confused as I'm working in a different location without this setup right now and I got turned around in my brain. :)

    – Phob

  • Correct, besides that it is: WAN2, <remote ipsec="" endpoint="" ip="">/32,<wan2-gateway-ip></wan2-gateway-ip></remote>

  • LOL - OK, total brainfart as that is how it is setup at the my other location.  Oops … like I said at the beginning, mesa confused! :)

    Thanks as usual guys.

    -- Phob

Log in to reply