1
20.1 Legacy Series / Port Forwarding through IPSEC Tunnel
« on: May 23, 2020, 10:51:24 pm »
Hello Team,
first of all thanks for your great work.
Currently im running into an issue with Port Forwarding to a destination behind a VPN Tunnel.
We have a Firewall in our DataCenter Colocation which has an IPSec Tunnel with a VTI back to our Office Firewall.
Behind the Office Firewall is a Server which needs to be published to the Internet.
On the Office Firewall there is a Policy Based routing rule to forward all traffic from that Server via the Tunnel to the Datacenter.
If I'm opening a webpage or use speedtest.net I can see the correct public IP Address assigned from the NAT Pool on the Colocation Firewall.
Now if we open a port form the Colocation Firewall via Port Forward to the office Server, I can see the requests via Wireshark hitting the Colo Firewall, hitting the VPN Tunnel and the Office Firewall. So running a Packet Capture on the VTI Interface of the Office Firewall I can see the traffic hitting the Firewall with that tunnel, but the traffic is never leaving the tunnel and gets to the server.
IPSEC Firewall rules on the VTI Interface:
IPSEC Firewall rules on the IPSec Interface:
If I replace the IPSec setup with a OpenVPN tunnel it works, but the performance is bad.
Colo Firewall:
PFsense 2.4.5
Office Firewall:
OpenSense 20.1.7
Thanks for reading and looking into it.
Best regards
Martin
first of all thanks for your great work.
Currently im running into an issue with Port Forwarding to a destination behind a VPN Tunnel.
We have a Firewall in our DataCenter Colocation which has an IPSec Tunnel with a VTI back to our Office Firewall.
Behind the Office Firewall is a Server which needs to be published to the Internet.
On the Office Firewall there is a Policy Based routing rule to forward all traffic from that Server via the Tunnel to the Datacenter.
If I'm opening a webpage or use speedtest.net I can see the correct public IP Address assigned from the NAT Pool on the Colocation Firewall.
Now if we open a port form the Colocation Firewall via Port Forward to the office Server, I can see the requests via Wireshark hitting the Colo Firewall, hitting the VPN Tunnel and the Office Firewall. So running a Packet Capture on the VTI Interface of the Office Firewall I can see the traffic hitting the Firewall with that tunnel, but the traffic is never leaving the tunnel and gets to the server.
IPSEC Firewall rules on the VTI Interface:
IPSEC Firewall rules on the IPSec Interface:
If I replace the IPSec setup with a OpenVPN tunnel it works, but the performance is bad.
Colo Firewall:
PFsense 2.4.5
Office Firewall:
OpenSense 20.1.7
Thanks for reading and looking into it.
Best regards
Martin