Strange routing issue with ipsec tunnels



  • I apologize in advance for the long post and if the post is under the incorrect topic.

    I am having a routing issue where I can ping any host on the other side of an IPSEC tunnel from the Pfsense 2.2.2 box only if I choose the source address as the connection that uses the IPSEC connection, but not if I leave the source address as default. I have a complex setup with rules not allowing other interfaces access to allow cross talk between the subnets on the local box.
    I am decided to give a try to create a loopback gateway so I could add the static route to access the remote network by using the interface that uses the IPSEC tunnel. This allows the default connection to access the remote network but it causes the linux machines ,which were working before the static route was added, to no longer be able to access the remote network. The windows machines still can access the remote network.

    Is there a better way to get a pfsense box to talk to a remote network for bandwidth tracking through itself?

    192.168.1.0/24(Pfsense Netwok 1) –- internet
    10.10.10.1/21(Pfsense Netwok 2) --- internet
    172.16.20.1/24(Pfsense Netwok 3) --- internet
    192.168.170.1/24(Pfsense Network 4) - (IPSEC Tunnel)--- internet --- (IPSEC Tunnel) - 192.168.176.1/21(remote Network)

    Thanks in advance and any advice is much appreciated.



  • I have figured a work around for my issue.
    It would appear that this is a common issue with Pfsense and if you follow the steps laid out here you will have 1/2 the solution.
    https://doc.pfsense.org/index.php/Why_can't_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F

    The second part of the solution is you have to setup a virtual IP address that corresponds to your network connection with a separate IP address and they assign that IP address to your NIX machines.
    So 192.168.1.1 would have a virtual IP address of 192.168.1.2 or what ever IP address you choose to use assigned as a default gateway. The windows machines do not have this issue and can continue to us the internal IP address.


Log in to reply