Access to other IPSEC-VPN from HomeOffice

unti · Apr 13, 2017, 1:27 PM

Hi,

first i want to apologize if this topic has been solved elsewhere, but i couldn´t find it.

We have several IPSEC-VPN-connections in our office to other places. As i often work in my homeoffice, i want to know, if it is possible to connect to these VPNs directly from my homeoffice? I am connected through a IPSEC-VPN with my office, too. So to give you an example:

My IP-range: 192.168.100.0
IP-Range in Office: 192.168.200.0
other IP-Range (from customer), which is connected to our office: 192.168.50.0

So, i want to know, if there is a way to have access directly from my homeoffice 192.168.100.0 to customers subnet 192.168.50.0?

Thx and BR

Markus

Roofus · Apr 18, 2017, 10:06 PM

I am looking at exactly the same issue.

I am guessing that a 'route' needs to be defined, but not sure what gateway would be used/defined for this and how each box would be set up to route traffic via the IPSec. I guess one option would be to route ALL traffic over IPSec so that second box would then know to route the 192.168.50.0 traffic over IPSec.

Roofus

studiox · May 1, 2017, 12:18 PM

Are you saying you want to connect directly to your customers locations directly from home? BAD BAD BAD idea. What happens if you get a virus at home? Perhaps not even your computer or some other device or computer in your home and that is transfered to your customers location. :o

Roofus · May 1, 2017, 8:13 PM

IPSEC is there to enable two sites to securely exchange traffic.

If one PC gets infected, that is a separate issue and hopefully one mitigated by your IPSEC firewall rules and virus protection.

The question is where there are three, or more, locations connected via IPSec how to route traffic to third or fourth site while still allowing general internet traffic via WAN.

Roofus

studiox · May 2, 2017, 4:11 PM

@Roofus:

IPSEC is there to enable two sites to securely exchange traffic.

If one PC gets infected, that is a separate issue and hopefully one mitigated by your IPSEC firewall rules and virus protection.

The question is where there are three, or more, locations connected via IPSec how to route traffic to third or fourth site while still allowing general internet traffic via WAN.

Roofus

From a security point of view if your end device (while connected from home) are a corporate managed PC I do not see any issues as there are measurements in place from IT to make sure antivirus and only required ports are open.

Allowing to "jump" from home-office to corporate office and towards a customer is not complicated, you only need to take one of the following steps:

1.) Change default route towards corporate office, i.e. do not use split tunnelling.
2.) Add static routes to the home office that allows routing of traffic towards another tunnel.

Roofus · May 2, 2017, 4:37 PM

Thank so for the reply.

The question is how to create static route as per option 2? Bearing in mind pfsense wants a gateway and only lists WAN. So, if we want the IPSec set up as a 'gateway' in order to configure routes, is it possible and what would be set? Local PFSense IP?

Roofus

n0npr0phet · May 3, 2017, 6:36 PM

We are trying to do something similar. Access our IPSEC connected AWS VPC from our remote office also IPSEC connected.
We have been successful connecting two pfsense boxes in the same LAN using an interface and a gateway but since IPSEC isn't an option when creating the gateway we are stuck.

hpmueller · May 3, 2017, 8:45 PM

IPsec is designed to prevent exactly this. You cannot simply "route" throug an IPsec-Tunnel. It is possible to circumvent this with multiple phase2 configs on ALL endpoints (which assumes, that you are allowed to do what you are trying, which it does not sounds like), but if you have to ask here on how to do that, it is likely to blow up in your face one way or the other.

TL;DR: "Don't."