Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Route a WAN IP over the tunnel

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mphilippi
      last edited by

      Hi guys!

      Is there a way to route a specific IP over the tunnel, so that the other end can access this ip via the wan connection of the local box?
      E.g. connecting to 8.8.8.8 via the IP of the remote tunnel wan.

      I tried to add another phase 2 but this does not seem to work.

      Do you have an idea?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        It should be fairly simple, much like you said, adding a Phase 2 to both sides should be the heavy lifting part. Beyond that you need firewall rules on the IPsec interface and depending on the outbound NAT settings on the firewall the traffic will exit, it may need some adjustment to its rules.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • M
          mphilippi
          last edited by

          Hi jimp!

          The ipsec firewall tab is set to allow everything through the tunnel (a rule with a lot of wildcards).
          The outbound NAT is set to automatic - ipsec included.

          Still, it does not work.

          On the overview page, it shows a red arrow pointing downwards where the second tunnel is. It looks like the tunnel is not up but. When looking at the logs, I don't see anything related to the second tunnel.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            If the Phase 2 is down that means that either it can't negotiate (mismatch settings, perhaps) which would show in the IPsec log, or that no traffic attempted to use the tunnel for that.

            On the side where the traffic originates, make sure the traffic isn't hitting a firewall rule on the LAN or other internal interface which has a gateway set.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • M
              mphilippi
              last edited by

              After disabling and enabling the phase 2 on one end, the tunnel came up.
              It was not possible to ping through the tunnel but it looks like the routing works.

              I then checked the ipsec firewall roules but they were ok (IPv4 * * * * * * none). I also added such rules on the lan interface on both ends.
              Still, the ip is not pingable.

              EDIT:
              After adding an outbound NAT rule and switching to hybrid mode, I can finally reach through the tunnel.
              Adding a third phase 2 shows the red arrow again on this phase 2. Re-enabling it does not help, even after a few times.
              The ipsec log shows the phase 2 as if it was connected:

              charon: 10[CFG] received stroke: add connection 'con1002'
              Jul 7 22:29:48 	charon: 10[CFG] added child to existing configuration 'con1000'
              Jul 7 22:29:48 	charon: 07[CFG] received stroke: route 'con1002'
              Jul 7 22:29:48 	ipsec_starter[35735]: 'con1002' routed
              

              But the red arrow on the status page stays and the tunnel is not connected in fact.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.