Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Add pfsense ipsec route gateway

    Scheduled Pinned Locked Moved IPsec
    6 Posts 2 Posters 5.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eskp
      last edited by

      Hi guys,

      I have created IPsec tunnel to AWS VPC which connects successfully.

      Now I'm trying to add a static route to 10.100.1.0/24 private VPC subnet.

      When I do this with the LAN interface's IP address of my local router as a gateway (10.13.37.1) I can connect to a VPC host from the router itself but not from another host on the network.

      Wondering how I can propagate this route to other hosts on the network or if I mixed up my networks.

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        Routes don't determine whether or not traffic traverses IPsec. They will influence source IP selection for traffic initiated from the firewall itself, which is what happened for the described circumstance. For other hosts, nothing to do with propagating routes, traffic just has to match the local and remote in a P2. Though that's assuming those LAN hosts are pointing to the box with the IPsec as their default gateway. Not enough there to offer any suggestions on the cause, just not routing related in that way it doesn't appear (unless the hosts really do need a route to get the traffic to the right box, in which case you need to configure their routing tables accordingly).

        1 Reply Last reply Reply Quote 0
        • E
          eskp
          last edited by

          The LAN hosts do have the router as their default gateway. And I have one P2 configured with the remote network's subnet 10.100.1.0/24. Do I need to add a second P2?

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            What's the local subnet on the P2? Match your LAN subnet? In that case, the traffic sourced from the LAN subnet destined to the remote 10.100.1.0/24 will traverse the tunnel.

            Traceroute show it going elsewhere or does it just die after the first hop? If it dies after the first hop, does the out byte counter increment under Status>IPsec?

            1 Reply Last reply Reply Quote 0
            • E
              eskp
              last edited by

              The local subnet does match the LAN subnet and is 10.13.37.0/24. Remote subnet is 10.100.1.0/24. These seem to be correct.

              The Bytes-Out counter does increment when testing ssh from the router itself. However get no reply and no bytes out from other hosts on the network.

              I did try adding a static route to 10.100.1.0/24 with gateway being IP address of the router. Again, this gives connectivity from the router itself but not from other hosts. Without this static route there is no connectivity from the router also.

              Could it be something to do with NAT?

              Thanks for your help.

              1 Reply Last reply Reply Quote 0
              • E
                eskp
                last edited by

                Have just added IP range of my local network to VPN Connections > Static Routes tab in the AWS VPC console and am now able to access AWS Private subnet hosts from local hosts but not from the router itself.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.