Ipsec theory

andyb2000 · Sep 29, 2007, 9:36 PM

hi guys,
I've got a theory/query to run past people that have a lot more knowledge in the under-the-hood of pfsense.

I'm trying to achieve multiple subnets on a single ipsec tunnel. The reason for this, is that I can achieve this using racoon on a standard linux box, so I'm trying to apply the same theory to pfsense.
On a linux racoon you change the spd.conf to contain the new ip block pair. So in pfsense I normally have:

spdadd 192.168.55.0/24 192.168.55.2/32 any -P in none;
spdadd 192.168.55.2/32 192.168.55.0/24 any -P out none;
spdadd 192.168.55.0/24 192.168.2.0/24 any -P out ipsec esp/tunnel/xx.xx.xx.xx-yy.yy.yy.yy/unique;
spdadd 192.168.2.0/24 192.168.55.0/24 any -P in ipsec esp/tunnel/yy.yy.yy.yy-xx.xx.xx.xx/unique;

So the alternative on linux racoon would be:


spdadd 192.168.55.0/24 192.168.55.2/32 any -P in none;
spdadd 192.168.55.2/32 192.168.55.0/24 any -P out none;
spdadd 192.168.55.0/24 192.168.2.0/24 any -P out ipsec esp/tunnel/xx.xx.xx.xx-yy.yy.yy.yy/unique;
spdadd 192.168.2.0/24 192.168.55.0/24 any -P in ipsec esp/tunnel/yy.yy.yy.yy-xx.xx.xx.xx/unique;
spdadd 192.168.55.0/24 192.168.66.0/24 any -P out ipsec esp/tunnel/xx.xx.xx.xx-yy.yy.yy.yy/unique;
spdadd 192.168.66.0/24 192.168.55.0/24 any -P in ipsec esp/tunnel/yy.yy.yy.yy-xx.xx.xx.xx/unique;

So what I'd like to know, is firstly how can I try this out, as modifying the spd.conf and kill/restarting racoon doesn't seem to tear down/re-start the vpn process.
and, is there any reason why this wouldn't work on this platform, i.e. is the underlying os going to cause problems for this, or is there something I'm missing here?

Thanks for any info in advance!

cmb · Oct 2, 2007, 3:15 AM

you can't manually add things, they'll get stomped on. For now for multiple subnets you have to add a tunnel for each subnet.

andyb2000 · Oct 9, 2007, 10:15 AM

Yes, I understand that the config files get overwritten when the gui confirms/writes a change, but I'm more after working out why the functionality on a linux-based racoon won't work in the same was as the pfsense racoon.
Mainly due to the one-way problem I have as I posted in http://forum.pfsense.org/index.php/topic,6284.0.html

Which is why I'm trying to take apart racoon on pfsense and code it in the same way it works on a linux box (and also adding the static routes).

If anyone can advise on either how to repair the one-way problem in my previous post, or how to force racoon to stop/start under pfsense I should be able to crack this one.

windysails · Nov 13, 2007, 11:16 AM

I too am trying to acheive this goal to use an IPSEC tunnel for multiple subnets at a remote endpoint. It is a little dissapointing that this subject is not more active, as if this is acheived added to RIPv2 gives routing capability that only high end router/firewalls give.
I have written some php code to enhance other pfsense ability(support for dynamic ip for VPN) and am considering this again to provide this functionality.
Maybe a cronjob that checks spd.conf and adds the required lines and reloads.
Maybe an additional php gui to add the additonal network would be the easiest interface.

Happy for feedback on these ideas and replies from others that may be working on this functionality. Meanwhile I am writing code and testing. :)

andyb2000 · Nov 13, 2007, 12:23 PM

Hi,
Unfortunately I have given up on pfsense, and done an install using voyage linux to my machine and done this using traditional iptables/racoon, etc which works no problem.

Thanks again for your feedback.