think I found the resolution to my problem using post below.
Set local Network to 0.0.0.0/0 and all seems to be fine now

https://forum.netgate.com/topic/137737/mobile-client-ikev2-vpn-access-to-remote-network-ipsec/2

Also see this post, it is very similar to what you're trying to do and the OP lays out his solution nicely.
https://forum.netgate.com/topic/143368/route-traffic-between-two-ipsec-tunnels/6

Are the subnet masks configured correctly on the target PCs? I just ran into this after changing our entire network subnet - some of the devices I had not yet rebooted were still on the old subnet.

D.

Hi @jimp

Here it is the status page while dashboard widget shows nothing and 0

76f14a97-d7c2-4fc2-b356-9465c40b2cd4-image.png

62ba11c3-f54b-4254-affa-16f0dac950fa-image.png

64183dc2-2a7d-4d27-a9c2-046227b27b82-image.png

3790afc4-708d-42c8-a634-07720376b4ae-image.png

773313d1-8653-440d-a204-bda0203f99be-image.png

5b97d0e9-affa-4f41-b10d-a77e1f4325fa-image.png

8dd40b47-0d3b-4359-886e-917f90d247f8-image.png

Thanks!

I closed that out since it's essentially a duplicate of #9111

You can apply the commit ID on that issue on 2.4.4-p3 to pick up the fix there.

@ngoehring123 said in NAT over routed VTI:

@under_tow I reported this back in March. https://forum.netgate.com/topic/141613/can-i-route-internet-traffic-from-site-b-through-site-a-via-ipsec-vti

Unfortunately no resolution that I'm aware of.

Thanks, similar issues, GRE over IPSEC could work, but too many changes in our application for that for now.

@Konstanti thanks for the link, I must study.

I'm sad to see that the pfsenes book isn't up to date, we can not see 3DES in 2019
and the VPN setup is quite tricly

I just ran into the same issue today for a similar configuration (routing traffic directed to a public address into an IPSec tunnel).
It appeared that I forgot I had a firewall rule explictly setting the gateway for traffic directed to public addresses (for multi-wan management).
Once I added an Accept firewall rule with higher precedence and no gateway setting, the traffic got "naturally" tunnelled.

@conor said in Access printer from foreign network over IPSEC (multiple locations):

can you send me the Routes for the pfsense01 please, Diagnostics > Routes

b625543a-6454-4299-91f5-2538addd662d-image.png

i see i have made an mistake in the ip's from the custommerrouter and LAN2 (switched, same lan). this is correct:
voorbeeld.jpg
also added the new P2

we could also have a look with teamviewer/telephone if you like?

Yes, you can use a CARP address as the IPSec endpoint. There is an option to sync IPSec configuration in the XMLRPC Sync options on the HA Sync page.

Hello,

I reconfigured the VPN with different encrypt algorithm and hash and it worked. Topic can be closed.

Excellent, "Don't pull routes" is NOT checked, so I think we'll be good to go.

Thank you!

I've finally done it.
@Derelict Thank You! I've actually managed to find a few ways to make it work. Learned a lot in the process.

Best solution I found was:

Add Phase2 tunnel between site A and B like this: site A (10.11.40.0/24) <-> site B (10.200.200.0/24) Modify Phase2 tunnel between site B and C and use NAT on it: site B (10.11.0.0/16 -NAT-Address-> 10.100.100.1) <-> site C (10.200.200.0/24). No configuration change was required on site C which wasn't an option anyway :-) Remove Outbound NAT rule @ site B that hid traffic to site C under single IP address (10.100.100.1). This rule is no longer required because source address translation is now handled by Phase2 tunnel configuration itself. Remove 10.100.100.0/24 network from site B. I no longer need this network because Phase2 B <-> C now matches my primary local subnets.

Final config to summarize it for anyone with similar problem (access site C from site A via site B).

LAN addresses are as follows:
site A - 10.11.40.1/24
site B - 10.11.20.1/24
site C - 10.200.200.1/24
site C will accept traffic only from address 10.100.100.1

Phase 2 A <-> B
Tunnel_1: 10.11.40.0/24 <-> 10.11.20.0/24
Tunnel_2: 10.11.40.0/24 <-> 10.200.200.0/24

Phase 2 B <-> C
Tunnel_1: 10.11.0.0/16 -NAT-Address-> 10.100.100.1 <-> 10.200.200.0/24

Correct me if I'm wrong but my conclusion is that pfSense will not send traffic to IPsec tunnel if this traffic does not originate from network matching configured Phase2 networks even if You configure Outbound NAT for non-P2-matching subnet and translate it to match configured P2. Maybe it is obvious to some people but it wasn't for me. Before pfSense I've used Vyatta/VyOS and P2 source network evaluation took place AFTER outbound NAT was performed.

Other solutions I've tested and they worked (sort of):

To original configuration add Phase2 between site A (10.11.40.0/24 -NAT-Address-> 10.100.100.2) and site B (10.200.200.0/24). This way traffic coming from site A matched site's B local network used in Phase 2 tunnel between B and C.

Split site's B network into 2 as @Derelict suggested:
a. Split site's B subnet (10.100.100.0/24) into two (10.100.100.0/25 and 10.100.100.128/25)
b. Add Virtual IP Alias for LAN @ site A (10.100.100.129/25)
c. Create Phase2 between site A (10.100.100.128/25) and site B (10.200.200.0/24)
d. For the servers that are located @ site A and need to access site C, I've assigned addresses from 10.100.100.128/25 subnet and created static route for subnet 10.200.200.0/24 with gw 10.100.100.129. This way servers from site A will "show up" at site B with addresses that match 10.100.100.0/24 P2 between site B and C.

Other variant of 2nd solution is to use routed IPsec between A and B. Haven't actually tested routed IPsec with splitting the network but I'm positive it would work. Tested routed IPsec without splitting the 10.100.100.0/24 subnet but it didn't work.

Created OpenVPN server (p2p) between A and B. It also didn't work without splitting the 10.100.100.0/24 subnet. However it did work with splitting the network like in previous solutions.

Solution number 2 config for complete picture:

LAN addresses are as follows:
site A - 10.11.40.1/24, 10.100.100.129/25
site B - 10.11.20.1/24, 10.100.100.1/25
site C - 10.200.200.1/24

Phase 2 A <-> B
Tunnel_1: 10.11.40.0/24 <-> 10.11.20.0/24
Tunnel_2: 10.100.100.128/25 <-> 10.200.200.0/24

No NAT in these tunnels.
Servers @ site A that need to access site C have addresses assigned from 10.100.100.129/25 subnet and static route to 10.200.200.0/24 using 10.100.100.129 as gateway.

Phase 2 B <-> C
Tunnel_1: 10.100.100.0/24 <-> 10.200.200.0/24

NAT Outbound @ site B:
Interface (IPsec), Source (10.100.100.0/24), Destination (10.200.200.0/24), NAT Address (10.100.100.1)
Servers @ site B that need to access site C have addresses assigned from 10.100.100.0/25 subnet and static route to 10.200.200.0/24 using 10.100.100.1 as gateway.

Note: This Outbound NAT @ site B is not required in order for this to work but it's requirement from our Customer who controls site C to "show up" at their end only as 10.100.100.1.

Hope it will be useful to somebody :-)

Hi Konstanti6 and anyone else reading this.

I setup a test environment to test VPN functionality between two pfSense instances. Works so nicely and easily, and I just cannot get sophos to play along nicely.

Instead of providing more logs (as requested) I am going to ask sophos support to help out. In case of a clear and reproducable solution, I will post it here.

For now I just wanted to say: kuddos to pfsense, that seems SO easy to setup a site-to-site vpn with. And thanks for the response Konstanti6.