IPSEC VPN and route traffic between Tunnels.
-
Hi there.
Is it possible for Pfsense to for instance have two ipsec tunnels , like A and B where A remote network is 10.10.10.0/24 and B remote network is 10.10.11.0/24 so that remote net A can reach remote net B through the IPSEC tunnel to pfsense ? Like a hub and spoke . -
Should be possible. Just set up static or dynamic routing. I'll set up a little scenario to explain.
We have routers RA, RB, and RC. RA will be the hub and RB and RC will be the spokes.
RB has local network 10.10.10.0/24
RC has local network 10.10.11.0/24Setup your IPSec site-to-site between RA to RB and RA to RC.
Now all the routers need to know how to get to each network. This is where the static routes come in (or dynamic if you want to set up RIP or OSPF)
RB needs to know how to get to the 10.10.11.0/24 network so create a static route pointing to 10.10.11.0/24 and set the next hop to RA's IPSec tunnel interface.
RC is set up in the same way as RB just point to 10.10.10.0/24 and use RA's IPSec tunnel interface on that side.
RA needs to know how to get to both networks so it can forward traffic either way.
Set up two static routes much like the ones you set up for RB and RC but use RB and RC's respective IPSec tunnel interfaces as the next hop address.
-
Regular static routing doesn't work with IPsec tunnels due to the way it is hooked to the system kernel.
In order to achieve this, you need to create an additional Phase2 on A and B, with "remote network" set as the opposite site subnet ;)
-
Thanks for the added info george. I've never tried this myself. I was just going off what I know about networking. It should also be noted that dynamic routing won't work without a GRE tunnel because IPSec does not pass broadcast traffic.
-
Thanks for the feedback guys. So Basically I only need to add Phase 2 entries for the networks that want to reach each other, is that correct?
-
Correct
-
Just to tweak things even more.. Is it possible to do NAT in the tunnels aswell? , Like NAT tunnel network from RB when it accesses RC via RA ?
-
I believe you select that in Phase 2 as NAT/BINAT
-
Should be possible in 2.1 (I haven't tested it yet)