Local traffic routing to WAN gateway.

[rgradert]

I have an IPSEC tunnel established. On the far side (Netgate appliance) I have traffic properly routing local net to remote net. On the near side, I cannot get a ping to the remote net.

My trace route shows the traffic hit the firewall and hop out to the ISP. As if the installed route isn't installed.

Does anyone know how I can test this further? First thing that comes to mind is to reboot the firewall but I cannot do that at this time.

[viragomann]

If it's a policy-based IPSec check the SPDs.
If it's a VTI check the routing table.

If you have further troubles with this come back with more details.

[rgradert]

It is VTI

V2 Key Exchange


Local Site Opnsense
LAN - 172.19.19.0/24
Phase 1
Mutual PSK

Local ID	WAN IP Address
Peer ID	WAN IP Address
Encryption	AES 256
Hash	SHA 256
DH	14
Lifetime	86400

Phase 2
Mode: VTI
Local Address
10.242.10.1
Remote Address
10.242.10.2

IPSEC Interface assigned and enabled.

Remote subnet 10.1.10.0/24 static routed to automatically generated 10.242.10.2 gateway.
10.1.10.0/24   REMOTE_VTI_TUNNEL - 10.242.10.2

Remote Site Netgate
LAN - 10.1.10.0/24
Phase 1
Mutual PSK

Local ID	WAN IP Address
Peer ID	WAN IP Address
Encryption	AES 256
Hash	SHA 256
DH	14
Lifetime	86400

Phase 2
Mode: VTI
Local Address
10.242.10.2
Remote Address
10.242.10.1

IPSEC Interface assigned and enabled.

Remote subnet 172.19.19.0/24 static routed to automatically generated 10.242.10.1 gateway.

I have Firewall > Rules > IPSec > Any/Any inplace on both sides.
I can ping from the Firewall to the peer IP from both sides. And my IPSec is up.

On the near side, I trace route getting these results:

Code Select Expand

C:\Windows\System32>tracert 10.1.10.1

Tracing route to 10.1.10.1 over a maximum of 30 hops

  1     3 ms    <1 ms    <1 ms  172.19.19.1
  2    <1 ms    <1 ms    <1 ms  c-xx-xx-xx-xx.unallocated.comcastbusiness.net [xx.xx.xx.xx]
  3     *        *        *     Request timed out.
  4  xxxxxxxxxxxxx.xxxxxxx.il.chicago.comcast.net [xx.xx.xx.xx]  reports: Destination net unreachable.
  5     *        *        *     Request timed out.
Remote side I at least get a time out indicating that I'm not pushing RFC 1918 out the WAN interface.

Code Select Expand

C:\Users\phoenix>tracert 172.19.19.1

Tracing route to 172.19.19.1 over a maximum of 30 hops

  1     1 ms     1 ms     1 ms  10.1.10.1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *     ^C


On my remote firewall (Netgate) I am getting routes populated:
172.16.0.0/12   10.242.10.1   UGS   12   1400   ipsec2

But on my near firewall this is not the case, where 10.1.10.0/24 is missing all together.


After digging around, I discovered that the gateway was sent to far. Which I don't remember ticking, but unticking this and saving resolved the issue. Once the gateway was present, the route was up and traffic flowing.

[viragomann]

Congratulations! So you've solved to issue by yourself. :-)