Routing through IPSEC tunnel

dupuyol

Dear All

I need some help as I am not very familiar with PFSense.  In fact, I am not sure if I can accomplish what I am looking to do.  Perhaps, one of you can let me know.  Here is a background of my infrastructure

xxx.xxx.xxx.xxx                                   10.189.137.20                    10.189.137.47
                                                       255.255.255.0                    255.255.255.0
                                                       10.189.137.14                    10.189.137.14   
INTERNET Gateway –-- LAN1------------PFSense1 ---------IPSEC-----PFSense2------------LAN2
192.168.1.1             192.168.1.0          192.168.1.2                        192.168.4.1           192.168.4.0
255.255.255.0          255.255.255.0       255.255.255.0                     255.255.255.0       255.255.255.0
                                                       192.168.1.1

the above shows the connection I have between 2 offices.  The Network where the IPSEC tunnel is established is provided by an ISP but is a private ring with no access to the internet. 
I would like to provide LAN2 with direct access to the internet through LAN1.  However, I need to route all traffic other than LAN2 through the IPSEC tunnel and not the default gateway on PFSense2.
Currently I am using a http proxy on LAN1 to accomplish to routing.  However, the proxy creates a number of problems with some applications.  This is why I would like to be able to access the internet directly.

Questions:

• Is this possible with PFSense?
• What is the best way to accomplish the routing?

TIA

hoba

Try to setup a tunnel like 0.0.0.0/0 to 192.168.4.0/24 and see if this does the trick. You can't do routing through IPSEC. The tunneldefinitions determine what goes through. Btw, what kind of connection do you have between pfSense1 and pfSense2? If it's a wlan connection wpa with aes should serve you better and should also be faster as the encryption is not done by the cpu but by the nic.

dupuyol

Thank you so much for your answer.  The connection, we currently have between the 2 pfsense machine is a private network segment that the ISP we use provide businesses that are in need to link multiple offices together.  It is a standard DSL connection without the routing to the internet.  All traffic stays withing this ring.  This is why we are doing our links with IPSec tunnels and why we need to forward to the central office for our main gateway.

I will try the tunnel you mentioned.  This of course would be created on PFSense2, correct?

Thanks again

hoba

You have to configure both ends like this. pfSense1 has to be configured to have 0.0.0.0/0 as local subnet instead of it's lan subnet, remote subnet is 192.168.4.0/24. It's vice versa at pfSense2.

leap

I already done with your text but it is not working  ???

any ideas
Thanks

MageMinds

I don't know if you're still looking to do this, but I made it work …

Here is how I built the VPN, I must say that one side was a Linux OpenSwan though. The trick is the remote subnet and local subnet.

Even if you put 0.0.0.0/0 in remote subnet, the local trafic will remain inside, because the router seens to assign a higher metric routes for ipsec connections.

On pfSense1 you should set the IPSec as follow pay attention to local subnet

and on the pfSense2 as follow pay attention to remote subnet