Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Direct traffic in IPSECVPN Site to Site "Phase 2 Tunnels"?

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 613 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      isbamike
      last edited by

      QUESTION: How to you maneuver the direction of traffic inside the IPSEC VPN Phase 2 tunnels?

      DETAILS:

      I have an IPSEC Site to Site VPN connecting 2 offices, Austin and Houston. Inside the VPN are 2 x phase 2 tunnels that have "ANY" and "ANY" in the firewall rules. Basically these are wide open for multi-directional traffic using "any" protocol on "any" port. I use to use Watchguard firewalls and when setting up the vpns, you were able to tell the phase 2 tunnels which direction traffic was authorized to flow using symbols like those below. Can some please help me?

      –---------> Out

      ---------< None
      <----------- In
      <----------> In and Out

      NEEDS:

      I need both subnets (AUSTIN MGMT and AUSTIN STAFF) in Austin to be able to access 1 subnet (HOUSTON STAFF) in Houston  &  1 subnet (HOUSTON STAFF) in Houston to be able to access 1 subnet (AUSTIN STAFF)in Austin.

      AUSTIN MGT                              HOUSTON STAFF
      (192.168.113.0/24  -------------> 10.77.30.0/24)

      AUSTIN STAFF                            HOUSTON STAFF
      (192.168.115.0/24 <------------> 10.77.30.0/24)

      Thank you.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Look at the firewall rules on the IPsec tab. Those will pass traffic INTO that node over IPsec. Think of it like connections coming into WAN.

        You can pass or block whatever traffic you desire there.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • I
          isbamike
          last edited by

          I only have 1 rule on both routers in my IPSEC firewall rules that says "Any" source to "Any" destination. Do I need to create 2 rules, 1 for each "Phase 2" tunnel?

          Before

          IPSEC-Both Routers Austin & Houston

          Rule #1 PASS - Source (Network) 192.168.113.0/24  - Protocol "ANY"  Destination (Network) 10.77.30.0/24 - Protocol "ANY"

          –------------------------------

          After

          IPSEC - AUSTIN Router
          Rule #1 PASS - Source (Network) 192.168.113.0/24 - Destination (Network) 10.77.30.0/24 - Protocol "ANY"
          Rule #2 PASS - Source (Network) 192.168.115.0/24 - Destination (Network) 10.77.30.0/24 - Protocol "ANY"

          IPSEC -HOUSTON -Router
          Rule #1 PASS - Source (Network) 10.77.30.0/24 - Destination (Network) 192.168.115.0/24  - Protocol "ANY"
          Rule #2 BLOCK - Source (Network) 10.77.30.0/24 - Destination (Network) 192.168.113.0/24  - Protocol "ANY"

          Like this?

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            You need to create rules to pass, block, or reject any traffic you want to pass, block, or reject. Just like any other rules.

            It looks like you have it backward. The rules govern traffic coming into the firewall they are on. Just like any other pfSense rules.

            The rules on the Houston IPsec tab govern traffic coming into Houston from Austin. Austin is the source and Houston is the dest.
            The rules on the Austin IPsec tab govern traffic coming into Austin from Houston. Houston is the source and Austin is the dest.

            And by traffic I mean connections. You have stateful behavior there like everywhere else.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • I
              isbamike
              last edited by

              That worked!!! Thank you very much.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.