We are integrating with a third party and they require the use of a L2L IPSec VPN for communication. I have successfully configured the IPSEC vpn and the tunel is up but now I cannot seem to have traffic pass through it because the source IP address is not correct (I assume). I am a software guy not a network guy so
The third party has required us to use subnet 172.31.168.0/24 but this conflicts with our internal addressing (AWS VPC) of 10.0.11.0/24. I added a 1:1 NAT for
- source: Any
- dest: <external encryption domain>
- external : 172.31.168.0/24
but doing a traceroute from the pfsense machine to an ip in the encryption domain range sends the traffic out over the internet.
I have setup a app servers default route to be the PFSense box and I can see the app server connecting to external services in the firewall log but no ipsec related stuff?
Is what I am trying to do even possible?
Using PFSense version 2.1.5-RELEASE (amd64)
Best Answer
This is a clear indication that you do not have your IPsec Phase 2 entries configured correctly. IPsec matches traffic purely on source/dest IP subnet, and if it's not sending your desired traffic down the tunnel, you have a P2 configuration problem.