Policy based routing for IPSEC (not tunnel)

Started by mahescho, January 30, 2020, 03:29:25 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 30, 2020, 03:29:25 PM Last Edit: January 30, 2020, 03:43:10 PM by mahescho
Hi,

I've 3 up links, A, B and C. A is my default gateway. I use policy based routing to direct LAN (and VLAN) traffic to one of these up links. This works as expected.

I've configured my IPSEC VPN to use the interface of up link C. Now I need the IPSEC VPN to use the gateway of up link C. To get this I need policy based routing entries for firewall local traffic (ESP, ISADMP, NAT-T). I can see auto generated rules on up link C for the IPSEC traffic with the gateway of up link C to be set as gateway. But what I found is that they do not get used.

When I do "ipsec up con1" and look at my up link A interface by tcpdump I see the ESP traffic on A instead of C.

When I initial IPSEC from the remote site I see the ESP packages arrive on C and the answers of OpnSense on A.

How to get this working?

TIA
OPNsense 24.1.6-amd64
FreeBSD 13.2-RELEASE-p11
OpenSSL 3.0.13
Print
Go Up Pages1
User actions