On 8/18/2011 11:24 AM, Fabien Bagard wrote: > On 08/18/2011 04:33 PM, Jim Pingle wrote: >> On 8/18/2011 10:29 AM, Fabien Bagard wrote: >> [...] >>> From the network beyond the PFSense, I can't ping machines beyond the >>> IPCop. >> [...] >>> What gives me trouble is : >>> * IPCop side, I have an ipsec interface, with an IP address and route >>> to the other side of the IPSec tunnel >>> * PFSense side I have an enc0 interface, without IP address and no >>> trace of a route in the routing tables to the IPCop side : >> There is no route for IPsec on FreeBSD. That's just how IPsec works. >> >> If traffic matches the phase 2 for the tunnel, it goes on the tunnel. >> >> Your problem may be elsewhere (firewall rules, etc) - some packet >> captures should show you how the traffic is (or isn't) flowing. >> >> Jim >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >> For additional commands, e-mail: support-h...@pfsense.com >> >> Commercial support available - https://portal.pfsense.org > Thanks a lot for your fast reply Jim, > > I'll have a look at my FW conf soon. > > BTW, how can I set up a default gateway to tell all my traffic from > PFsense LAN (subsidiary) to go through the IPSec tunnel (main office) ? > Setting up the PFsense' default gateway is impossible because it has no > ip address on the main office LAN : It has a WAN interface -192.168.2.1 > - and a LAN interface - 192.168.3.1, whereas mi main office LAN is > 192.168.1.X
You can't easily do that with IPsec on pfSense in tunnel mode that way. You could try making the far end of the tunnel's p2 0.0.0.0/0 but that may cause you some issues. > I also noted : if from the PF box I ping a computer in my main office > LAN, traceroute shows me that packets are going through my ISP box, even > if the destination address matches the pahse 2 entry. Then it must not have matched the p2, or it hit a rule that forced it directly out a gateway. Though I thought we had policy route negation rules that prevented that, it's worth checking. It sounds like what you want would be better accomplished with OpenVPN, since it can route like you expect, and you can get a gateway to use with policy routing (or even failover) to control how the traffic flows. Alternately, IPsec in transport mode with a gif/gre tunnel on top would give you routing flexibility in a similar way, but I'm not sure if IPcop would support that. Jim --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
