Correction #16340
closed
Routed IPsec Tunnels (VTI) Don't Allow For ANY Policy Routing
0%
Description
I wanted to suggest a change on the docs to make something a little more clear than it currently is.
On the page about VTI tunnel configuration: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/routed-vti.html
There is a section about Policy Routes which states:
"To policy route traffic across a routed IPsec tunnel, use the assigned IPsec interface gateway in firewall rules as usual for policy routing."
There is then a disclaimer below this that says:
This may not work as expected without NAT and/or reply-to, which require special settings. See Routed IPsec Firewall Rules for details.
This should be adjusted to state that it will not work as expected. After extensive testing in my lab, I was never able to get a policy route to work via a gateway selection with the default IPsec filter mode. I hade to change it to the assigned interfaces mode in order for my firewall rule w/ a gateway selection to function at all.
The states for the rule showed it was being hit as well, but traffic would not route over the tunnel.
It's important this is more clear, since you can't have this Filter Mode enabled if you also need regular IPsec Tunnel's to exist, and the documentation currently makes it sound like you can use both.
Updated by Ethan Word about 2 months ago
Sorry, I meant to include one more note, if I am wrong about this and the word "may" is being used intentionally, I think the docs should be updated to explain that in more depth. After much research I was not able to find evidence of a policy based route working in tunnel mode on a VTI IPsec Phase 2.
Updated by Jim Pingle about 1 month ago
- Status changed from New to Rejected
There are some other scenarios out there which can work but are rare enough to not worth detailing, but we can't unilaterally say it won't work without the other filter mode set.
Updated by Ethan Word about 1 month ago
Jim Pingle wrote in #note-2:
There are some other scenarios out there which can work but are rare enough to not worth detailing, but we can't unilaterally say it won't work without the other filter mode set.
Gotcha, that makes sense.
So maybe it should be re-worded just to be a bit more clear? Like maybe "in most situations policy based routing will not work without changing the filter mode" or something like that.
It just felt overly ambiguous to me I guess.