Correction #16340
openRouted IPsec Tunnels (VTI) Don't Allow For ANY Policy Routing
0%
Description
I wanted to suggest a change on the docs to make something a little more clear than it currently is.
On the page about VTI tunnel configuration: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/routed-vti.html
There is a section about Policy Routes which states:
"To policy route traffic across a routed IPsec tunnel, use the assigned IPsec interface gateway in firewall rules as usual for policy routing."
There is then a disclaimer below this that says:
This may not work as expected without NAT and/or reply-to, which require special settings. See Routed IPsec Firewall Rules for details.
This should be adjusted to state that it will not work as expected. After extensive testing in my lab, I was never able to get a policy route to work via a gateway selection with the default IPsec filter mode. I hade to change it to the assigned interfaces mode in order for my firewall rule w/ a gateway selection to function at all.
The states for the rule showed it was being hit as well, but traffic would not route over the tunnel.
It's important this is more clear, since you can't have this Filter Mode enabled if you also need regular IPsec Tunnel's to exist, and the documentation currently makes it sound like you can use both.
Updated by Ethan Word 11 months ago
Sorry, I meant to include one more note, if I am wrong about this and the word "may" is being used intentionally, I think the docs should be updated to explain that in more depth. After much research I was not able to find evidence of a policy based route working in tunnel mode on a VTI IPsec Phase 2.
Updated by Jim Pingle 11 months ago
- Status changed from New to Rejected
There are some other scenarios out there which can work but are rare enough to not worth detailing, but we can't unilaterally say it won't work without the other filter mode set.
Updated by Ethan Word 11 months ago
Jim Pingle wrote in #note-2:
There are some other scenarios out there which can work but are rare enough to not worth detailing, but we can't unilaterally say it won't work without the other filter mode set.
Gotcha, that makes sense.
So maybe it should be re-worded just to be a bit more clear? Like maybe "in most situations policy based routing will not work without changing the filter mode" or something like that.
It just felt overly ambiguous to me I guess.
Updated by Georgiy Tyutyunnik 1 day ago
- Status changed from Rejected to Confirmed
tested on
26.03.1-RELEASE (amd64)
built on Wed May 20 15:19:00 UTC 2026
FreeBSD 16.0-CURRENT
currently there are no setups where the PBR works with VTI tunnels with Group Interface enc0 type of IPSec filtering
this needs to be highlighted in the docs
Updated by Ethan Word 1 day ago
Georgiy Tyutyunnik wrote in #note-4:
tested on
26.03.1-RELEASE (amd64)
built on Wed May 20 15:19:00 UTC 2026
FreeBSD 16.0-CURRENTcurrently there are no setups where the PBR works with VTI tunnels with Group Interface enc0 type of IPSec filtering
this needs to be highlighted in the docs
Thanks for validating this, I hadn't tested it recently. I concur (obviously, since I posted the original lol), docs should definitely be updated.