IPSec Site-to-Site VPN , about phase 2 tunneling.

bpostaci

pfsense 2.4.3

IPSec issue.
-Configuration

Site A

WAN public IP:  11.11.11.01
WAN2 Public IP : 11.11.11.02 (Default Gateway)
LAN 192.168.2.0/24    -> Pfsense IP: 192.168.2.1
WLAN1 192.168.25.0/24  -> Pfsense IP: 192.168.25.1 Wifi AP + Radius Server (Interface 192.168.25.1) EAP-TLS

Site B
WAN pfsense IP 10.10.25.1  ->  public IP : 22.22.22.22 (NAT from different firewall almost transparent)
LAN 10.10.35.0  -> pfsense IP : 10.10.35.1

IPSec Configuration

Phase1  IkeV2 over WAN2 is working , and connection is estabilished. (I will not go in details here not important.)

If i configure redirect all trafic in Phase 2 , Site A -> Site B

Site A Phase2 configuration
Local Network -> 192.168.25.0/24
Remote Network -> 0.0.0.0/0

Firewall IPSec for both box.
IPv4 * * * *  Allow all

Site B Phase2 configuration
Local Network -> 0.0.0.0/0
Remote Network -> 192.168.25.0/24

If the connections are estabilished.

The problem , WLAN1  users unable to connect the access point anymore, DHCP or none is working.
In SiteA, in pfsense box, I can not ping the interface 192.168.25.1 niether.

If I change the configuration as below for one client.

Site A Phase2 configuration
Local Network -> 192.168.25.135/32
Remote Network -> 0.0.0.0/0

Site B Phase2 configuration
Local Network -> 0.0.0.0/0
Remote Network -> 192.168.25.135/32

There is no issues with that client (192.168.25.135) , what is my ip from browser is 22.22.22.22
There is no issue in connectivity of wifi ap for all clients.

Questions ?

• What kind of configuration missing i need to make it work , if i tunell all WLAN1 subnet trafic (192.168.25.0/24) (basically i want they use the Internet of SiteB)
  InSiteA , WLAN1 and LAN should continue access each other.

-What is the best way to make "some of the IPs" in WLAN1 subnet to use Site B Internet gateway (by not configuring each one another Phase2 in IPSec)