IPSEC site to site from multiple VLANs to same remote network
-
I have two pfSense firewalls that I need to create site to site IPSEC tunnels between.
I have created the Phase 1 on both sides. I need to connect the LAN and one VLAN of side 1 to the LAN of side 2. I have created Phase 2 entries on both sides and everything shows as connected.
As far as I can tell I can only pass traffic to/from one of the networks on side 1 at a time, and I have seen both the LAN and the VLAN able to pass traffic, usually it is the LAN able to communicate, but occasionally the VLAN can communicate.
I connected everything and was able to communicate from side 1 LAN to side 2 LAN. I took the Phase 1 down and reconnected it and was then able to communicate from Side 1 VLAN to side 2 LAN. Took the Phase 1 down again and was then able to communicate from Side 1 LAN again, but not side 2 LAN.
As far as I can tell side 2 can communicate with both LAN and VLAN, regardless of which interface on side 1 can communicate. Although I am not sure this is the case at all times.
I cannot determine if there is a pattern for why one interface can communicate vs the other on side 1. It seems random, but there is probably something I am missing.
As far as I can tell there is nothing in my logs indicating the problem, but I am not 100% sure what i'm looking for.
My firewall rules are all setup to properly pass traffic.
Any help would be much appreciated.
-
Try to create two phase 1 entries each one with a single phase 2.
I know that the public end-point IPs are going to be the same in either system but the latest version of pfSense looks like does not bother about that.
I had to split a multi-phase2 VPN connection just to be able to communicate two nets in one side of the VPN with one in the other (same as you are trying to do) just because the config of one of them was not the standard (it was a cath-all). May be that mixing tagged (VLAN) and non-tagged taffic does not make good to the latest version too.