[IPSec] VPN with Multi Subnets
-
Hi guys,
I have the following scenario:
Company 1: 10.10.0.1 (WAN) | 172.16.4.0/23 (LAN 1) | 172.16.10.0/27 (LAN 2)
Company 2: 10.10.0.2 (WAN) | 172.16.0.0/23 (LAN 1)I wish to connect the two companies via IPSec, which was done:
Company 1: P1: 10.10.0.1 > P2: 172.16.4.0/23 and P2: 172.16.10.0/27
Company 2: P1: 10.10.0.2 > P2: 172.16.0.0/23IKEv2 protocol.
When I finish the settings the VPN connects, but only works LAN 1, I can not cause the traffic of LAN 2 to pass through the tunnel.
What am I doing wrong?
-
Hello,
are both firewalls pfSense?
Please show some logs. What is the status on the status page? Especially SAD/SPD page?Try to enable "Split connections" in phase 1 configuration.
Kind regards
-
Following the images as requested, as images were after a change of "Split Connections"
Company 1:
Company 2:
Thanks for your help.
Kind regards.
-
@rodrigoprazim said in [IPSec] VPN with Multi Subnets:
Split Connections
Is Split Connections enabled on both sides? Did you restarted the ipsec service and reconnected the tunnel?
The SPD table looks strange.Company 1 SPD:
There is nothing for 172.16.10....Company 2 SPD:
Why the hell is the tunnel endpoint 10.10.0.2 for outbound 172.16.10... network?!Maybe restart the hole pfsense on both sides and double check the phase 2 configuration. If nothing helps post the phase 2 configuration screenshots here.
-
Thanks for answering. Followed photos as requested.
Company 1:
Company 2:
Be remembering, the server was stopped on both sides and then started.
-
You have to create 2(two) P2's on both sides
currently you have only 1 P2 created at Company1 side. Add another P2 with local 172.16.0.0 and remote 172.16.10.0 -
This post is deleted! -
@dave-opc said in [IPSec] VPN with Multi Subnets:
You have to create 2(two) P2's on both sides
currently you have only 1 P2 created at Company1 side. Add another P2 with local 172.16.0.0 and remote 172.16.10.0It is not possible, or do not leave system add 2 p2 with the same configuration, already tried this.
-
It is possible, and it will not be with the same configuration
On Company2 you create 1st P2 with local 172.16.0.0 and remote 172.16.10.0 and create 2nd P2 with local 172.16.0.0 and remote 172.16.4.0
On Company1 you create 1st P2 with local 172.16.4.0 and remote 172.16.0.0 and create 2nd P2 with local 172.16.10.0 and remote 172.16.0.0 -
@dave-opc said in [IPSec] VPN with Multi Subnets:
It is possible, and it will not be with the same configuration
I understand what you mean, unfortunately now I can not fiddle with why the VPN is in production, as soon as I do, I'll post it. Thanks for answering.
-
@dave-opc said in [IPSec] VPN with Multi Subnets:
It is possible, and it will not be with the same configuration
On Company2 you create 1st P2 with local 172.16.0.0 and remote 172.16.10.0 and create 2nd P2 with local 172.16.0.0 and remote 172.16.4.0
On Company1 you create 1st P2 with local 172.16.4.0 and remote 172.16.0.0 and create 2nd P2 with local 172.16.10.0 and remote 172.16.0.0I had tried this, but I was forgetting to change the output interface of Company 1, that is, I was making a faithful copy of the existing P2, a lot of my attention, thank you for helping me.
