Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Tunneling Between 3 Different Sites

    IPsec
    2
    7
    873
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      heezam
      last edited by

      Dear all,

      I need some help to shed me some lights over an IPsec tunneling. Here I will explain on my current setup.

      Site A <–-----IPSEC------> Site B (HUB) <------IPSEC------> Site C
      10.1.1.1/24                10.2.2.1/24                    10.3.3.1/24

      Tunneling from Site A to Site B & Site B to Site C are working fine. However Site A is not able to reach Site C directly and vice versa.

      On Site A the phase 2 entry:
      Local: LAN Subnet
      Nat / Binat: None
      Remote: Network (10.2.2.1/24)

      On Site C the phase 2 entry:
      Local: LAN Subnet
      Nat / Binat: None
      Remote: Network (10.2.2.1/24)

      On Site B there are 2 IPSec Tunnels:

      1. Site A Phase 2 entry:
        Local: LAN Subnet
        Nat: None
        Remote: Network (10.1.1.1/24)

      2. Site C Phase 2 entry:
        Local: LAN Subnet
        Nat: None
        Remote: Networ (10.3.3.1/24)

      Note: FYI we do not have the access to Site C. Therefore any adjustment only could NOT be made on Site A and Site B.

      Kindly let me know if you may require any other information. Thank you in advance.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Obviously you need to add Phase 2 entries for 10.1.1.0/24 === 10.3.3.0/24 on both IPsec connections and make sure the firewall rules on IPsec pass the necessary traffic.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • H
          heezam
          last edited by

          Dear Derelict,

          Thank you for your reply. Yes i agree by adding another phase 2 entry on both sites will makes the goal. However unfortunately we do not have access to the site C (10.3.3.1/24) to add phase 2 entry. Therefore we are thinking any other method may accomplish the same goal (eg: Nat/Binat). Really appreciate any help on resolving the puzzle.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Then you're pretty much out of luck. Successful IPsec generally requires cooperation from all parties on all sides.

            Perhaps if you narrowed the scope from the entire /24 networks to some specific traffic that needs to be passed something could be done, but as it is, no.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • H
              heezam
              last edited by

              Thank you Derelict.

              Appreciate if you could torch me some light by narrowing down the scope to some specific traffic that needs to be passed. By other mean, is it possible to do a double one-to-one NAT at Site B so that we can "map" the IP address space of Site A into Site B, and the address space of Site C into Site B.

              [10.1.1.x]->IPSEC->[10.2.2.x] NAT [10.2.2.x]->IPSEC->[10.3.3.x] and the other way around.

              Please advise if the above is doable. Thank you in advance.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Yes, it would be possible if the Phase 2 traffic selector you can't change was a /23 and you wanted a /24 at each site, but you are going to have to detail what you want to see given the scenario you have explained so far.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • H
                  heezam
                  last edited by

                  My goal is the network from Site A (10.1.1.x/24) able to reach the network at Site C (10.3.3.x/24) regardless the traffic from A will be NAT to site B and will carry the IP Site B (10.2.2.x/24) instead. Also the same for Site C whereby it will carry the Site B IP in order to communicate with network on Site A.

                  Site A (10.1.1.x/24)<–---------> Site B (10.2.2.x/24) <-----------> Site C (10.3.3.x/24)
                                                IPSEC & NAT                              IPSEC & NAT

                  Probably the above illustration perhaps may give you some idea. Thank you in advance.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.