Routing Internet Traffic Through a Site-to-Site IPsec Tunnel

geyser

I have several site-to-site IPsec Tunnels, been using them for years.

I want to route some traffic through a remote site - every 6 months or a year I try and configure it but always fail.

I have seen this netgate document, it describes exactly what I want. I just can't ever get it working.

I have Site A and Site B setup with IPsec already. I have two working phase 2 entries, routing different subnets. Works fine.

I created a 3rd subnet, any traffic in the subnet (1527CA) I want to go over the VPN and out the other side.

The instructions mentioned above say to create a phase 2 entry routing 0.0.0.0/0. That should mean everything goes over the link.

I create the entry, telling it anything from my new subnet (1527CA) goes over the IPsec link.

The issue is, when I enable it everything goes down... nothing works. I suspect it is trying to route everything from all subnets over the link. What am I doing wrong with the Phase 2 entry that is causing this?

viragomann

@geyser
Did you add the 3rd phase 2 on the remote site as well?

What does Status > IPSec show, when you enable it?

What shows the log?

geyser

@viragomann When activating the Phase 2 entry and then check the IPSec status, it does NOT show the new phase 2 entry. It does show the existing two that I had, but not the new one.

When I look in the logs I do see some errors that appear to be related:

parsed CREATE_CHILD_SA response 784 [N(TS_UNACCEPTED)]
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA

I guess that is my clue, something wrong with the child.

viragomann

@geyser
So the remote site says that it doesn't accept the additional phase 2.
So I'd suspect that it's not configured there or has different parameters.