Routing Internet Traffic Through a Site-to-Site IPsec Tunnel
-
I have several site-to-site IPsec Tunnels, been using them for years.
I want to route some traffic through a remote site - every 6 months or a year I try and configure it but always fail.
I have seen this netgate document, it describes exactly what I want. I just can't ever get it working.
I have Site A and Site B setup with IPsec already. I have two working phase 2 entries, routing different subnets. Works fine.
I created a 3rd subnet, any traffic in the subnet (1527CA) I want to go over the VPN and out the other side.
The instructions mentioned above say to create a phase 2 entry routing 0.0.0.0/0. That should mean everything goes over the link.
I create the entry, telling it anything from my new subnet (1527CA) goes over the IPsec link.
The issue is, when I enable it everything goes down... nothing works. I suspect it is trying to route everything from all subnets over the link. What am I doing wrong with the Phase 2 entry that is causing this?
-
@geyser
Did you add the 3rd phase 2 on the remote site as well?What does Status > IPSec show, when you enable it?
What shows the log?
-
@viragomann When activating the Phase 2 entry and then check the IPSec status, it does NOT show the new phase 2 entry. It does show the existing two that I had, but not the new one.
When I look in the logs I do see some errors that appear to be related:
parsed CREATE_CHILD_SA response 784 [N(TS_UNACCEPTED)]
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SAI guess that is my clue, something wrong with the child.
-
@geyser
So the remote site says that it doesn't accept the additional phase 2.
So I'd suspect that it's not configured there or has different parameters.