Two IPSec Site to Site connections

szop

Hello all,

I've a problem creating two IPSec Site to Site connections between two locations. I've two pfSense 2.0.1 Systems on which I've successfully established the first IPSec connection, which routes the data LAN traffic. The idea is to establish two different VPN connections because our data LAN is seperated from the phone LAN. Here my configuration:

LAN is for data and has following network addresses:
Hamburg - 192.168.103.0/24
Berlin - 192.168.30.0/24

OPT1 (second pfSense) and OPT2 (first pfSense) are for phones and have following network addresses:
Hamburg - 172.16.40.0/24
Berlin - 172.16.30.0/24

Here the IPSec config overview in Hamburg:

http://screencast.com/t/Jnsgc3hQ0Q

Phase 1:
http://screencast.com/t/pAIag3SCZJ

I've disabled NAT-T and DPD too.

Phase 2: Hamburg data LAN
http://screencast.com/t/nX6ovoYVr

Phase 2: Hamburg phone LAN
http://screencast.com/t/VmmNQSL2lbI

Here the IPSec config overview in Berlin:

http://screencast.com/t/5nSwJwqvNw

Phase 1:
http://screencast.com/t/4ThtcR64

Phase 2: Berlin data LAN
http://screencast.com/t/Pp5usMVQx

Phase 2: Berlin phone LAN
http://screencast.com/t/sWrwrNyHWt

I've also set the IPSec Firewall rule to allow any port/network/etc to any on both sides. Maybe someone can help me out with that.

PS: When I try tracert to Hamburg phone LAN on a Berlin machine, I get following answer:

http://screencast.com/t/JSBn3yROKZa

Same on the Hamburg to Berlin phone LAN:

http://screencast.com/t/u3PY0b03mb

But this means, the phone LAN packages going out throught the Gateway, but don't know where to go, right :/?

I know its very confusing to follow all screens and double check the configuration, but maybe someone can help me out with that. I would really appreciate it.

Cheers,
Szop

szop

Hello again,

since nobody seem to have an answer to my case, maybe i just need to provide more informations? Ive made a small picture of our network topology and how we want to realize our solution. Sorry that I had to upload it to an another platform.

Link:http://s7.directupload.net/file/d/2792/3huhtk8k_jpg.htm

szop

No ideas? Is it even possible to establish to connections via one WAN between to sites with different LAN's?

pingulino

You may have just a routing/gateway problem, but it's hard to tell for sure. We need to establish exactly where it goes wrong.

1. Check the log for ipsec, any errors?
2. Under Status -> IPsec:

• Overview: Is button on right side red, yellow or green? If yellow click on arrow to start the tunnel.
• SAD / SPD: Anything here? Should be 2 entries for each active tunnel.

3. Check output of "netstat -r"

szop

1. Thanks for the effort to help me out with this issue. I'm stuck for days now and still got no idea how to solve my problem. Here a few informations you asked for.

1. IPSec Log since this morning:

1. http://screencast.com/t/CCE5vprg
2. http://screencast.com/t/PDYwrZ0f

2. The status seems to be okay:

Overview:http://screencast.com/t/jPGfjV89E0h. Both local IP's are the same IP's and both remote IP's are the same IP's as well.
SAD: http://screencast.com/t/4FCkpb0f74Lk
SPD: http://screencast.com/t/b2MsG92VxJpk

Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            217.5.98.27        UGS        0    6589 pppoe2
google-public-dns- 217.5.98.27        UGHS        0    14289 pppoe2
10.0.0.0          link#3            U          0        0    em2
10.0.0.2          link#3            UHS        0        0    lo0
p578bb5c6.dip0.t-i localhost          UH          0        0    lo0
w2.rc.vip.ch1.yaho 10.0.0.1          UGHS        0    14309    em2
localhost          link#7            UH          0    1116    lo0
172.16.40.0        link#1            U          0      817    em0
172.16.40.254      link#1            UHS        0        0    lo0
192.168.66.0      192.168.66.2      UGS        0        0 ovpns2
192.168.66.1      localhost          UH          0        0    lo0
192.168.66.2      link#11            UH          0        0 ovpns2
192.168.88.0      192.168.88.2      UGS        0      10 ovpns1
192.168.88.1      localhost          UH          0        0    lo0
192.168.88.2      link#10            UH          0        0 ovpns1
192.168.103.0      link#2            U          0  9117420    em1
pfsense            link#2            UHS        0        0    lo0
dnsp03.hansenet.de 10.0.0.1          UGHS        0    57959    em2
dnsp02.hansenet.de 10.0.0.1          UGHS        0    57961    em2
217.5.98.27        link#9            UH          0        0 pppoe2
n-lb-a01.isp.t-ipn 217.5.98.27        UGHS        0    57950 pppoe2
m-lb-a01.isp.t-ipn 217.5.98.27        UGHS        0    57951 pppoe2

Internet6:
Destination        Gateway            Flags      Netif Expire
localhost          localhost          UH          lo0
fe80::%em0        link#1            U          em0
fe80::206:4fff:fe8 link#1            UHS        lo0
fe80::%em1        link#2            U          em1
fe80::206:4fff:fe8 link#2            UHS        lo0
fe80::%em2        link#3            U          em2
fe80::206:4fff:fe8 link#3            UHS        lo0
fe80::%em3        link#4            U          em3
fe80::206:4fff:fe8 link#4            UHS        lo0
fe80::%lo0        link#7            U          lo0
fe80::1%lo0        link#7            UHS        lo0
fe80::%pppoe2      link#9            U        pppoe2
fe80::206:4fff:fe8 link#9            UHS        lo0
fe80::206:4fff:fe8 link#10            UHS        lo0
fe80::206:4fff:fe8 link#11            UHS        lo0
ff01:1::          fe80::206:4fff:fe8 U          em0
ff01:2::          fe80::206:4fff:fe8 U          em1
ff01:3::          fe80::206:4fff:fe8 U          em2
ff01:4::          fe80::206:4fff:fe8 U          em3
ff01:7::          localhost          U          lo0
ff01:9::          fe80::206:4fff:fe8 U        pppoe2
ff01:          fe80::206:4fff:fe8 U        ovpns1
ff01:          fe80::206:4fff:fe8 U        ovpns2
ff02::%em0        fe80::206:4fff:fe8 U          em0
ff02::%em1        fe80::206:4fff:fe8 U          em1
ff02::%em2        fe80::206:4fff:fe8 U          em2
ff02::%em3        fe80::206:4fff:fe8 U          em3
ff02::%lo0        localhost          U          lo0
ff02::%pppoe2      fe80::206:4fff:fe8 U        pppoe2
ff02::%ovpns1      fe80::206:4fff:fe8 U        ovpns1
ff02::%ovpns2      fe80::206:4fff:fe8 U        ovpns2

Thanks again and in advanace.

Cheers,
Szop

cmb

Your IPsec config is fine since you have SADs. The routing table has no relevance to IPsec. My first guess is you're blocking traffic by not allowing what is needed in the IPsec firewall rules.

szop

Thanks for the reply. Do you mean this: http://screencast.com/t/iC0iLMc0ZE ?

Do I need a sperate rule for each IPSec connection?

Cheers,
Szop

Zeon

I'm not sure if this is relevant but have you made sure that the block private address space isn't enabled on the opt2 interfaces? This has caught me out before. If you like I'm more than happy to login and take a look for you.

szop

Hey, thanks for your reply. Unfortunatly the private network blocks have been already disabled :( :
http://screencast.com/t/GWnp5ebgny

This drives me nuts…

Here is a post that seem's similar to mine: http://forum.pfsense.org/index.php/topic,33900.0.html
Is it even possible to create two seperated IPSec tunnels over one WAN to an other WAN?

cmb

As long as you have an allow all rule like as shown in the screenshot above, on both sides on the IPsec, you're good with rules. Block private networks doesn't apply to traffic within IPsec.

@szop:

Is it even possible to create two seperated IPSec tunnels over one WAN to an other WAN?

Yes, it's extremely common, widely done.

Next troubleshooting step is to start a continuous ping from one side to the other. Start packet captures on each hop along the way to see where the traffic is getting and isn't getting. Start with the internal interface on the side where the traffic is initiated, if you don't see it there you have local routing issues on that network and/or the host initiating the traffic. If you do see it there, move the capture to the IPsec interface. Then the IPsec interface of the remote host, then the LAN interface of the remote host. Report back where you are no longer seeing the traffic.

szop

Oh my Goad! I was able to ping from pfSense to pfSense directly, but not from the network! Also I am able to Ping my whole network from pfSense boxes like 172.16.40.254 -> 172.16.40.16 and back. But I can't ping from from Network over the tunnel. Same behavior on both sides.

cmb

That would be a wrong default gateway on the hosts, or a host based firewall.

szop

I guess that I've found the mistake now and I'm a bit ashamed of this because I think I've wasted a lot of your time. I had no Firewall Rule on OPT2 and OPT1, so I wasn't able to ping from Network to Gateway. I thought I just need a firewall rule on the IPSec tab to route traffic over IPSec VPN to the destinated network. On my last post I said that I was able to ping from pfSense to network like 172.16.40.254 -> 172.16.40.16 and back, but somehow I made a mistake because the second time I tried I was not able :/, just pfSense to network like 172.16.40.254 -> 172.16.40.16 and pfSense to pfsense and it's network like 172.16.40.254 -> 172.16.30.254 and 172.16.30.1.

Besides that I had to add manually Routes on my Windows machines over command line. You can print the help of "route" by typing "route" into the command line. Like you can see I've added manually a statice route on this PC http://screencast.com/t/ixe55rM45Mk8. You can see that the routing works now http://screencast.com/t/fKmkbkHu

Thanks a lot for this great support on this forum!