IPSec and NAT

rcfa

I understand that IPSec (unfortunately) snatches packets the moment they enter the system (thus making policy-based routing involving IPSec virtually impossible), what I don’t get is why that still happens when the particular IPSec tunnel is down.

It seems I cannot use Outbound NAT as a failover when the IPSec connection doesn’t go up, unless I actually disable the tunnel entirely, it not being up isn’t sufficient for traffic to go out the NAT route instead. I guess this prevents traffic going out unencrypted unintentionally, but it prevents a fail-over in my use scenario.

What I have is a LAN where each device has a public IP. That IP range is routed (for lack of ISP cooperation) via IPSec to a colo where I have a second pfSense box, to which that address range is routed.

For regular web browsing, etc. and when the IPSec link is down for whatever reason, it would be useful if locally initiated outgoing traffic could simply use NAT and the local ISP’s DHCP assigned address to provide basic fast access for information that’s just consumed.
On the other hand for remote initiated access (e.g. VNC, ssh to my systems), and for services (DNS, SMTP, HTTP) on the public IPs, traffic should go in and out of the IPSec tunnel without NAT.

Is there a way to achieve that sort of policy routing given the odd routing restrictions I have (public IP traffic needing to pass through some sort of pfSense supported tunnel)

cmb

That's the nature of how it works. Traffic matching the SPD is intercepted and sent across the IPsec if there is a matching SA. If the IPsec can't come up, it gets dropped.

IPsec transport mode with a gif or GRE tunnel and a dynamic routing protocol is how failover is accomplished. Or policy routing though that's usually more complicated since you have to make sure routing on both ends is updated appropriately.