Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
16.7 Legacy Series
»
Services on the IPSEC gw address
« previous
next »
Print
Pages: [
1
]
Author
Topic: Services on the IPSEC gw address (Read 6077 times)
tkreagan
Newbie
Posts: 4
Karma: 0
Services on the IPSEC gw address
«
on:
September 12, 2016, 03:12:22 am »
Hi - I was wondering if anyone knows if this bug:
https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN
and the related changes of sending traffic to/from the gateway IP address applies to OPNsense? It is one of the most irritating things about pfSense, and hoping OPNsense can fix it.
Also, any good manuals on IPSEC tunneling for OPNSense - the docs on the site look a little light re: detailing the process, specifically if you need to set up routes and/or fw rules once the tunnel is built.
--tkr
Logged
tkreagan
Newbie
Posts: 4
Karma: 0
Re: Services on the IPSEC gw address
«
Reply #1 on:
September 24, 2016, 10:16:36 pm »
Bump. Does anyone know about this issue and OPNsense?
Logged
tkreagan
Newbie
Posts: 4
Karma: 0
Re: Services on the IPSEC gw address
«
Reply #2 on:
January 02, 2017, 02:51:27 pm »
Does anyone even read these boards?
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: Services on the IPSEC gw address
«
Reply #3 on:
January 02, 2017, 03:16:10 pm »
Yes. This is a limitation in the way FreeBSD implements IPsec routing.
Cheers,
Franco
Logged
tkreagan
Newbie
Posts: 4
Karma: 0
Re: Services on the IPSEC gw address
«
Reply #4 on:
January 03, 2017, 10:35:00 pm »
So is this something to bring upstream or
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: Services on the IPSEC gw address
«
Reply #5 on:
January 04, 2017, 08:08:16 am »
It's something to "fix" in FreeBSD eventually. I don't think this classifies as a bug, judging by the longstanding nature of the problem. Only if the association is unambiguous, meaning the explicit IP the service is listening on is inside the IPsec-routed subnet, one can route over IPsec. This also affects gateway / policy routing through pf(4) because of the way IPsec is handled in the network stack.
I know that FreeBSD 11.0 doesn't change in this regard. There are major changes to IPsec coming to 12-CURRENT soon[1], but I haven't tested whether this is going to be helping this particular case.
I hope this helps.
Cheers,
Franco
[1]
https://svnweb.freebsd.org/base?view=revision&revision=309115
«
Last Edit: January 04, 2017, 10:28:57 am by franco
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
16.7 Legacy Series
»
Services on the IPSEC gw address