> On Feb 9, 2018, at 5:25 AM, Mark Wiater <mark.wia...@greybeam.com> wrote: > > > > On 2/9/2018 6:42 AM, Roland Giesler wrote: >> Ok, I'll try again with real (fake) addresses to make it better understood. >> >> WAN gateway: 197.212.127.194 (primary firewall interface), next hop >> gateway 197.212.127.193 >> >> Phase1: >> >> Interface: Virtual IP 41.22.123.70 >> >> Phase2: >> >> Local address: address 192.168.110.130 >> Local NAT translation: address 41.22.123.70 >> >> Remote address: 196.210.117.67 (A public ip) >> >> When phase1 and 2 are up and connected, I see no route for 196.210.117.67 >> in the routing table. >> >> Doing a traceroute from 192.168.110.130, I get traffic leaving the network >> via 197.212.127.193, not via 41.22.123.70. This could be because >> 41.22.123.70 is just a virtual address though, or what? It may not be >> meaningful after all. >> >> In the firewall log I see: >> Feb 8 18:07:40 â–º IPsec >> <https://in.gtst.xyz/easyrule.php?action=block&int=ipsec&src=41.75.111.178&ipproto=inet> >> 41.22.123.70:57914 >> <https://in.gtst.xyz/easyrule.php?action=pass&int=ipsec&proto=tcp&src=41.75.111.178&dst=196.201.107.67&dstport=21410&ipproto=inet> >> 196.210.117.67:12345 TCP:S >> So traffic is being allowed via IPsec from 41.22.123.70 to 196.210.117.67, >> but I'm not getting any response from the remote. >> >> Is this wrong? If so, what is right? I cannot expose the LAN ip address >> to the tunnel (192.168.110.130), I need to use the public IP... >> >> thanks again >> >> > > In my experience, one does not see routes in the routing table for IPSEC > based routes. > > IPSEC tunneling, I believe, happens before any NATting might. This might be > why you're seeing your traffic exit the default gateway since it still > possesses it's original ip addresses. I'm not sure what you are trying to > achieve is possible on the same device, unless you do some kind of NAT on the > incoming interface if that's possible. > > Seeing actual configuration files might be helpful. So would the results of > packet capture on both I{SEC interfaces. > >
IPsec “routes” do not appear in the routing table. They are installed in the kernel as traffic selectors. Status > IPsec, SPDs. If you are policy routing on the 192.168.110.130 interface you will need to bypass that with a pass rule to the other side (the Remote Network in the Phase 2) with no gateway set. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold