Services on the IPSEC gw address

[tkreagan]

Hi - I was wondering if anyone knows if this bug:

https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN

and the related changes of sending traffic to/from the gateway IP address applies to OPNsense?  It is one of the most irritating things about pfSense, and hoping OPNsense can fix it.

Also, any good manuals on IPSEC tunneling for OPNSense - the docs on the site look a little light re: detailing the process, specifically if you need to set up routes and/or fw rules once the tunnel is built.

--tkr

[tkreagan]

Bump.  Does anyone know about this issue and OPNsense?

[tkreagan]

Does anyone even read these boards? 

[franco]

Yes. This is a limitation in the way FreeBSD implements IPsec routing.


Cheers,
Franco

[tkreagan]

So is this something to bring upstream or

[franco]

It's something to "fix" in FreeBSD eventually. I don't think this classifies as a bug, judging by the longstanding nature of the problem. Only if the association is unambiguous, meaning the explicit IP the service is listening on is inside the IPsec-routed subnet, one can route over IPsec. This also affects gateway / policy routing through pf(4) because of the way IPsec is handled in the network stack.

I know that FreeBSD 11.0 doesn't change in this regard. There are major changes to IPsec coming to 12-CURRENT soon[1], but I haven't tested whether this is going to be helping this particular case.

I hope this helps.


Cheers,
Franco

[1] https://svnweb.freebsd.org/base?view=revision&revision=309115