Any ideas how I install an IPSec tunnel to a remote subnet that overlaps with a local subnet while not completely killing the local subnet?
This isn’t _quite_ as insane as it sounds at first glance: The SPD (i.e. Phase 2) selectors on my side are from a single /32 IPv4 address on the LAN that needs to monitor half a dozen servers on three subnets in a foreign network. And one of those subnets overlaps with a locally-connected subnet. Despite the /32 selector, it appears that all traffic through pfSense destined for (in this case) 192.168.100.0/24 is getting routed down the tunnel instead of out the connected interface. The kernel routing table still looks correct (i.e. 192.168.100.0/24 via link#2 netif igb0) but packets from other subnets no longer arrive. I vaguely recall that IPSec in FreeBSD 10 doesn’t actually happen at the kernel routing table level, it’s somehow bolted on to the if_input/if_output code path (or something kinda like that). So what *appears* to have happened is that my IPSec tunnel from 192.168.158.11/32 to 192.168.100.0/24 is diverting *all* traffic from 192.168.158.0/24 to 192.168.100.24/0. I guess I’m not terribly surprised, but I wasn’t expecting that to happen when I had set a very narrow selector for the local end. (It’s perfectly OK if 192.168.158.11 can’t talk to the *local* 192.168.100.0 subnet.) Is this a bug in FreeBSD’s IPSec implementation, or is this expected behaviour? Is there a way to accomplish what I want? (That being that I have an IPSec tunnel to a remote subnet that overlaps a local subnet, with both being reachable and reachability being controlled by policy somehow.) I know on certain other firewalls where IPSec tunnels appear as virtual interfaces, I can use policy routing to accomplish my goal, but I don’t know of any way to do that with pfSense. Thanks, -Adam _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
