Re: [pfSense Support] interesting traffic is not encapsulated

[Evgeny Yurchenko]

Chris Buechler wrote:
On Tue, Sep 22, 2009 at 6:36 PM, Evgeny Yurchenko <evg.yu...@rogers.com> wrote:
  
Paul Mansfield wrote:
    
On 22/09/09 17:36, Scott Ullrich wrote:
      
That is normal.   Traffic on the firewall itself prefers the system
routing table.  Clients behind the firewall will prefer the IPSEC
tunnel.   Pretty sure that is documented somewhere on the doc site.


        
if you want connections initiated by the firewall to go over the IPSEC
tunnel you have to add a static route to the remote LAN via the local
LAN IP.

e.g. if remote network is 10.20.30/24 and lan is 10.10.10.1 the static
route looks like this...

INTERFACE       NETWORK         GATEWAY
LAN             10.20.30.0/24   10.10.10.1

      
Sorry, it does not make much sense to me. You can have this route but it
will never work.
    

Yes it does. It's in the FAQ.
http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP%2C_use_syslog%2C_NTP%2C_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F


  
Probably my explanation is poor... I'll try again

10.29.1.34------------10.29.1.19/24 LAN pfSense1 WAN PPPoE x.x.x.106 
--------Internet-------y.y.y.155 WAN pfSense2 LAN 
10.29.11.1/24------------10.29.11.2
IPSec between 10.29.1.0/24 and 10.29.11.0/24.
I can ping 10.29.1.19 from 10.29.11.2.
I can not ping 10.29.1.34 from 10.29.11.2

I can ping 10.29.11.1 and 10.29.11.2 from pfSense1 itself issuing 
command ping -S 10.29.1.19 10.29.11.1. Traffic goes over IPSec tunnel. I 
do not need any static routes for that.
On WAN (ng0):
20:20:41.404778 IP x.x.x.106 > y.y.y.155: ESP(spi=0x0cf5335a,seq=0x26), 
length 116
20:20:41.584349 IP y.y.y.155 > x.x.x.106: ESP(spi=0x063d52eb,seq=0x18), 
length 116

I can not ping 10.29.11.1 or 10.29.11.2 from any host connected to LAN 
pfSense1. Traffic does not go over IPSec but instead natted and goes to 
Internet.
On WAN (ng0):
20:29:13.951253 IP x.x.x.106 > 10.29.11.1: ICMP echo request, id 1781, 
seq 6706, length 40
20:29:19.451065 IP x.x.x.106 > 10.29.11.1: ICMP echo request, id 1781, 
seq 6962, length 40
20:29:24.950912 IP x.x.x.106 > 10.29.11.1: ICMP echo request, id 1781, 
seq 7218, length 40

Can anybody explain this?
Thanks for attention.

---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org