Mobile VPN does not add udp/esp rules if using IP Alias as responder

ltctech

If you configure a different responder IP address for Mobile VPN (IKEv2), pfSense is not able to add the necessary rules into the firewall to enable udp/esp to enter.

The following comment appears next to the VPN rules in rule.debug:

Could not locate interface for IPsec: Mobile VPN

I have to add them in manually and it works fine, but it's somewhat annoying. Is this a known issue?

cmb

That an IP alias on localhost? In that circumstance, it can't determine the source of the traffic, so omits the rules.

ltctech

Not sure what you mean by IP alias of localhost. It's a Virtual IP Address/IP Alias configured on the WAN interface. It is then chosen in the interface entry of Phase 1, instead of the WAN interface.

The reason I do this is to avoid exposing the Mobile VPN on the router's primary IP address.