Add pfsense ipsec route gateway



  • Hi guys,

    I have created IPsec tunnel to AWS VPC which connects successfully.

    Now I'm trying to add a static route to 10.100.1.0/24 private VPC subnet.

    When I do this with the LAN interface's IP address of my local router as a gateway (10.13.37.1) I can connect to a VPC host from the router itself but not from another host on the network.

    Wondering how I can propagate this route to other hosts on the network or if I mixed up my networks.



  • Routes don't determine whether or not traffic traverses IPsec. They will influence source IP selection for traffic initiated from the firewall itself, which is what happened for the described circumstance. For other hosts, nothing to do with propagating routes, traffic just has to match the local and remote in a P2. Though that's assuming those LAN hosts are pointing to the box with the IPsec as their default gateway. Not enough there to offer any suggestions on the cause, just not routing related in that way it doesn't appear (unless the hosts really do need a route to get the traffic to the right box, in which case you need to configure their routing tables accordingly).



  • The LAN hosts do have the router as their default gateway. And I have one P2 configured with the remote network's subnet 10.100.1.0/24. Do I need to add a second P2?



  • What's the local subnet on the P2? Match your LAN subnet? In that case, the traffic sourced from the LAN subnet destined to the remote 10.100.1.0/24 will traverse the tunnel.

    Traceroute show it going elsewhere or does it just die after the first hop? If it dies after the first hop, does the out byte counter increment under Status>IPsec?



  • The local subnet does match the LAN subnet and is 10.13.37.0/24. Remote subnet is 10.100.1.0/24. These seem to be correct.

    The Bytes-Out counter does increment when testing ssh from the router itself. However get no reply and no bytes out from other hosts on the network.

    I did try adding a static route to 10.100.1.0/24 with gateway being IP address of the router. Again, this gives connectivity from the router itself but not from other hosts. Without this static route there is no connectivity from the router also.

    Could it be something to do with NAT?

    Thanks for your help.



  • Have just added IP range of my local network to VPN Connections > Static Routes tab in the AWS VPC console and am now able to access AWS Private subnet hosts from local hosts but not from the router itself.


Log in to reply