Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Opt1 interface at remote site

    Scheduled Pinned Locked Moved IPsec
    6 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sharaz
      last edited by

      i have an interesting question, i hope someone can help me get some traction here.

      site A, and site B, with an IPSec tunnel between.  desktops at site B access servers at site a, exactly as you would expect.  Site A also has an Opt1, and all desktops and servers at Site A, can access all resources (multiple networks and devices) beyond the Opt1 interface because PFS-siteA has a route for 10.x.x.x/8 via opt1 gateway (which opt1 gateway is the cisco router)

      as depicted here:

      So, desktops at site B can open a PPTP vpn to the PPTP server at Site A, then they can also access resources beyond Opt1.  i would like them to not have to do this, it would be preferential to just have them use the IPSec tunnel thats already established between siteA and siteB.

      is this possible?  can someone shed some light for me here?  thanks!!

      Jonathan

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        A bit strange setup. Why don't you terminate PPTP at pfSense?
        Generally I have to suggest to replace PPTP by a more secure VPN.

        However to achieve that site B cannot access networks beyond OPT1 just add a firewall rule to LAN interface that blocks hole traffic which source is your PPTP Pool and destination is your OPT1 network (10.x.x.x/8).

        Are there any difficulties?

        1 Reply Last reply Reply Quote 0
        • S
          Sharaz
          last edited by

          no, I want them to access beyong Opt1, right now they cant.  they can ping the interface of opt1 and that's it.  they cannot ping the interface of the cisco router (but they can if the open pptp to the MS PPTP server)

          Jonathan

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            Okay, I think I got it. You want that the clients at site B are able to access the 10.x.x.x/8 network over IPSec.
            I assume you have set an appropriate rule on IPSec interface to allow this.
            If the rule is correct it should work. The static route at pfSense A also is in force for IPSec traffic.

            Maybe it's a routing issue. Could it be that site B is part of 10.x.x.x/8?
            And there is another device in network responding to ping. At doubt check this with traceroute on a site B host.

            Otherwise post all your network at site A, B, IPSec tunnel.

            1 Reply Last reply Reply Quote 0
            • S
              Sharaz
              last edited by

              Site A is 192.168.10.0/24
              Site B is 192.160.20.0/24

              Site A opt1 is 10.0.0.2
              Cisco Router is 10.0.0.1

              Site A has a secondary gateway created as 10.0.0.1, and a route for 10.0.0.0/8 pointed to 10.0.0.1 as gateway.

              Jonathan

              1 Reply Last reply Reply Quote 0
              • M
                mix_room
                last edited by

                That seems like a routing issue. The IPsec tunnel will probably not know where the 10.0.0.0/8 network is, and so it can't send any traffic there.
                You will probably need to add another phase 2 setting to propagate 10.0.0.0/8

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.