On 2/9/2018 6:42 AM, Roland Giesler wrote:
Ok, I'll try again with real (fake) addresses to make it better understood.

WAN gateway:  (primary firewall interface), next hop


Interface: Virtual IP


Local address: address
Local NAT translation: address

Remote address:   (A public ip)

When phase1 and 2 are up and connected, I see no route for
in the routing table.

Doing a traceroute from, I get traffic leaving the network
via, not via  This could be because is just a virtual address though, or what?  It may not be
meaningful after all.

In the firewall log I see:
Feb 8 18:07:40 â–º IPsec
<https://in.gtst.xyz/easyrule.php?action=pass&int=ipsec&proto=tcp&src=> TCP:S
So traffic is being allowed via IPsec from to,
but I'm not getting any response from the remote.

Is this wrong?  If so, what is right?  I cannot expose the LAN ip address
to the tunnel (, I need to use the public IP...

thanks again

In my experience, one does not see routes in the routing table for IPSEC based 

IPSEC tunneling, I believe, happens before any NATting might. This might be why 
you're seeing your traffic exit the default gateway since it still possesses 
it's original ip addresses. I'm not sure what you are trying to achieve is 
possible on the same device, unless you do some kind of NAT on the incoming 
interface if that's possible.

Seeing actual configuration files might be helpful. So would the results of 
packet capture on both I{SEC interfaces.

pfSense mailing list
Support the project with Gold! https://pfsense.org/gold

Reply via email to