Reach another network through an IPSEC Tunnel (PFSENSE 2.1.5)

vianneyjs

Hi guys,

I have tried to resolve this issue myself, but I have't been able to resolve it.

I have done my research regarding this particular scenario, but I have't found any solution yet.

Network setup:

Site A…....................Site B…..........................Site C (not direct internet on this site)
          IPSec Tunnel                Connected via RF

–> Site A and Site B are connected via an IPSEC Tunnel with PFSENSE on both sites, all the network traffic between them works perfectly.

–> Site B and Site C are connected via RF, all the network traffic between them works perfectly. The Site B shares its internet access (Proxy Server) with Site C, so that there is not direct internet access provided by an ISP on Site C.

–> I would like to have full bidirectional connectivity between Site A and Site C via the PFSENSE IPSEC Tunnel or a fully routed network for these three sites.

Is there any way to accomplish this task?

Thank you!

P3R

@vianneyjs:

Is there any way to accomplish this task?

I can'tTfind anything in the information you have supplied so far indicating that it couldn't work.

My initial guess is that you have a routing issue.

I think you need to explain what exactly your ip network addressing looks like on both sides for anybody to be able to help you.

vianneyjs

Hi P3R,

Here are the IP Addressing details:

–> Site A Subnet: 172.20.1.0/24 
      Default Gateway for the LAN clients: 172.20.1.1 (PFSENSE VA) 
      IPSEC Tunnel to SITE B

*Tried Static routes and Access Rules for the Site C Subnet on the PSENSE of this site with no success: not able to reach Site C Subnet

–> Site B Subnet: 172.20.2.0/24
      Default Gateway for the LAN clients: 172.20.2.1 (PFSENSE VA)
      IPSEC Tunnel to SITE A
      RF Device IP : 172.20.2.2  (Ubiquity Bullet-Access Point Mode)
      Static Route for the Site C Subnet (172.20.3.0/24) on the PFSENSE (Site B) with the gateway 172.20.2.2 (LAN Interface - Ubiquity Bullet)

–> Site C Subnet: 172.20.3.0/24
      Default Gateway for the LAN clients: 172.20.3.1 (RF Device - Ubiquity Bullet)
      RF Device IP: 172.20.3.1 (Ubiquiti Bullet-Bridge Mode)
      Static Route for the Site B Subnet (172.20.2.0/24) on the RF Device with the gateway 172.20.2.2 (WAN Interface - Ubiquity Bullet)
      Static Route for the Site A Subnet (172.20.1.0/24) on the RF Device with the gateway 172.20.2.1 (PFSENSE Site B)

NOTE: SITE A and Site B were connected with a dedicated line using a Cisco router, back then the three subnets were fully routed.

Please let me know if you need further information or explanation.

kejianshi

If you want every network to talk to every other network, have you considered a full mesh network, such as tinc?

vianneyjs

Hi kejianshi,

I have not considered TINC, actually I didnt even know it exists.

Based on the info I provided, do you think it would be possible to communicate Site A and Site C?

Do you have experience with TNIC? Consideration TNIC vs IPSEC?

Thank you.

kejianshi

No - But a while ago me and a librarian talked about this since she was having problems similar to yours with having multiple sites and wanting all sites to talk equally with all other sites and she went with tinc and reported that it worked well.

I haven't had a need for it, but she did and said it worked well.  That was a year or two ago.

vianneyjs

I will give it a shot then.

Do you know if TNIC is an additional package to install on PFSENSE?
Fully compatible?

So, your closing thoughts for this particular network configuration are that with IPSEC there's no way to satisfy my needs?

kejianshi

Tinc worked fine for her when she was having same issues as you and tinc is a package in pfsense.

I have never tried to use ipsec to do what you need because I consider ipsec to be an enormous pain in the rear.

I've used it abit in the past, but for every use scenario I had for it, using openvpn always seemed much better and reliable.

kejianshi

You know, I was having sort of a similar problem with wanting resources at lots of different resources to be able to see each others web pages without having to have it open to the world.  The problem was easily solved by installing IPV6 static addresses to the pfsense routers and clients and allowing those addresses on the WAN of all the pfsense boxes.

So, now all my sites all visible from each individual site.  I love IPV6.  Its just too simple.

kejianshi

Another guy was having similar issues and he set up tinc today and said it worked great was easy and was going to stick with it.

vianneyjs

Interesting.

Did he post his experience here in the community forums?

kejianshi

Yes - very briefly.

vianneyjs

This network is not IPV6 ready yet…

I have not experience with Openvpn. Do you know if this will work with this protocol instead of TINC? I feel like Openvpn would be more robust and stable than TINC running on PSENSE.

Any thoughts?

kejianshi

For your applications, TINC is better - But a pfsense openvpn client with a TAP interface can do it.

I really only use openvpn for "road warrior" type configurations on end clients.

I think thats what it does best.

But it is flexible and if you handle routing correctly you can get what you want from it.