IPSec VPN and routing
-
so I want to setup the following scenario
I have a main office
network 10.0.0.0/24
and I have branch officesnetwork 10.0.1.0/24
network 10.0.2.0/24
network 10.0.3.0/24
network 10.0.4.0/24
network 10.0.5.0/24
network 10.0.6.0/24
network 10.0.7.0/24
network 10.0.8.0/24
network 10.0.9.0/24
network 10.0.10.0/24all branched networks need to be able to access each other so 2.0 needs access to 9.0
all sites are using pfsense firewall and are going to have vpn access back to the main site.
My question is how do I program the routing in pfsense for each network to go over the vpn ?
-
It's just a matter of having the routes setup properly on the clients. The real answer depends on whether or not you set them up in a shared key setup, with a separate tunnel to each branch, or if you did a PKI setup and there is only one server instance.
-
If all the clients have the pfsense firewall on there site as there gateway.
Which would be the better solution the PKI setup or the shared key setup?
Where would I specify the routing options in pfsense?
-
The routing for OpenVPN is done in OpenVPN - on the custom options.
For a mutli-site setup like that I would do PKI ( http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29 ) - but it's really up to you.
If you do PKI, on the server side you can just push a route to all the client sites for all of those networks. Otherwise you need to add a route statement for each network to every client config.
-
If I understand you correctly, in this example if one connects all the branch nodes to the main office node with separate IPSEC tunnels for each branch node, then the main office subnet can be seen by each branch node and vice versa (with the proper firewall rules).ย However branch node 2 cannot access the branch node 9 subnet and vice versa.
Is that statement correct?
Also if I understand you correctly, you can use OpenVPN instead to accomplish this (if all equipment supports it)?
A real world example would be if users in branch node 9 want to print to a printer in branch node 2 and also must print to a printer in the main office node.
-
Sounds about right. IPsec makes that much more difficult to accomplish. It's possible, but not pretty.
-
Im in a situation similar to Nemus.ย There is a Cisco 800 series in place and I need to connect up several remote locations to it.ย The remote locations also need to talk to one another.ย I know that the Cisco should support IPSec but not so sure about OpenVPN.ย The remote locations can use pfSense boxes but it looks like I will have to toss the Cisco for another pfSense box to make it all work well.ย The environment is more complex as it is being decentralized and the main services will be colocated.
Looks like I'll investigate OpenVPN as a solution.ย Thanks for the help.
-
That would be possible with the Cisco as well, you'd just have to add all of the possible network combinations into the ACL for the IPsec config on that end.
Still ugly, but it would work.
If you can't use OpenVPN you might be better off just making tunnels between each router instead of trying to "route" them all through the main office.
