This problem is caused because IPsec tunnel mode creates 'implicit' tunnels. These are not visible to the rest of the IP layer, because the decision to tunnel the traffic is made after the packet has been forwarded.
One easy solution is to create an 'explicit' tunnel, using something like GRE, and then secure this using IPsec transport mode. I did have this working fine on a hacked version of m0n0wall a year or so ago, and I daresay that it could be implemented on pfsense. To be honest, I thought it was (using gif tunnels) as I am sure it appeared in an earlier release. >From a usage viewpoint you would just see a new optional interface that you could route stuff to (also apply firewall and traffic shaper rules). The basic characteristics are the same (GRE has higher overheads, so the MTU would be reduced a little. IP-in-IP using GIF is the same overhead as IPsec tunnel mode). /Peter On Thursday 30 March 2006 00:40, Jeff Quinonez wrote: > I had to do the exact same thing. I have a pfsense box at home and a test > pfsense box at work. (great work btw folks, love pfsense) I have 6 > different subnets and had to build a tunnel for each one. I wish there was > a way to build one tunnel and then just add static routes to the various > subnets. (i don't have static ip's at home so every once in a while i need > to change the ip on the tunnels) > > I worked with Checkpoint FW-1 a few years ago (on Solaris) and had to add > the routes to various subnets at the Solaris command line and then add the > routes via the gui. Actually had a script that would add the routes in the > event of a reboot of the firewall. I wonder if pfsense could work this way? > > On 3/28/06, Holger Bauer <[EMAIL PROTECTED]> wrote: > > I'm not sure if pfSense can route over IPSEC (haven't tested that) but in > > case it can't do that here is another way that will work (I have m0n0s > > running with that kind of setup): > > > > You have to create 2 parallel tunnels. > > > > The problem is that both tunnels are terminated between the same public > > IPs. To get the traffic of both tunnels seperated you must use a > > different identifier for each tunnel. Create preshared keys at both ends > > for both tunnels and use the unique identifiers for both tunnels. > > Otherwise the traffic will get mixed up. > > > > Tunneldefinitions: > > local subnet 192.168.1.x <-> remote subnet 192.168.19.x, identifier " > > to.lan.local" secret "secret1" > > local subnet 192.168.1.x <-> remote subnet 10.0.0.x, identifier " > > to.dmz.local" secret "secret2" > > > > I even use this kind of setup to route from location1 to location3 via > > location2 with no direct link between location1 and location3. You can > > combine this with static routes at the pfSense where the traffic leaves > > the tunnel if needed btw to reach subnets via another gateway. > > > > Holger > > > > > -----Original Message----- > > > From: Jason J Ellingson [mailto:[EMAIL PROTECTED] > > > Sent: Wednesday, March 29, 2006 12:09 AM > > > To: [email protected] > > > Subject: [pfSense Support] Static routes over IPSec > > > > > > > > > I guess I'm encountering a mental block on how to do this... > > > Can anyone > > > help? > > > > > > I have two pfSense boxes in different locations (and obviously on the > > > Internet). > > > > > > I have a LAN to LAN IPSec between them. > > > 192.168.1.x <-> 192.168.19.x > > > > > > The far pfSense box also has a DMZ/OPT1 network: > > > 10.0.0.x > > > > > > Is there a way to have traffic from my 192.168.1.x network go > > > over the IPSec > > > tunnel to talk to the 10.0.0.x network? > > > > > > Perhaps I need to look at establishing a second IPSec tunnel? > > > 192.168.1.x <-> 10.0.0.x > > > > > > I have tried setting up a static route on the local box > > > (192.168.1.x) that > > > points 10.0.0.x traffic to gateway of 192.168.1.1 (remote LAN > > > gateway), but > > > that didn't seem to work. > > > > > > Thanks all! > > > > > > - Jason > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > ____________ > > Virus checked by G DATA AntiVirusKit > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > -- > "got root?" -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
