[IPSec] VPN with Multi Subnets

rodrigoprazim · Jul 10, 2018, 5:33 PM

Hi guys,

I have the following scenario:

Company 1: 10.10.0.1 (WAN) | 172.16.4.0/23 (LAN 1) | 172.16.10.0/27 (LAN 2)
Company 2: 10.10.0.2 (WAN) | 172.16.0.0/23 (LAN 1)

I wish to connect the two companies via IPSec, which was done:

Company 1: P1: 10.10.0.1 > P2: 172.16.4.0/23 and P2: 172.16.10.0/27
Company 2: P1: 10.10.0.2 > P2: 172.16.0.0/23

IKEv2 protocol.

When I finish the settings the VPN connects, but only works LAN 1, I can not cause the traffic of LAN 2 to pass through the tunnel.

What am I doing wrong?

bepo · Jul 11, 2018, 9:39 AM

Hello,

are both firewalls pfSense?
Please show some logs. What is the status on the status page? Especially SAD/SPD page?

Try to enable "Split connections" in phase 1 configuration.

Kind regards

rodrigoprazim · Jul 11, 2018, 2:18 PM

Following the images as requested, as images were after a change of "Split Connections"

Company 1:
🔒 Log in to view 🔒 Log in to view

Company 2:
🔒 Log in to view 🔒 Log in to view

Thanks for your help.

Kind regards.

bepo · Jul 12, 2018, 6:26 AM

@rodrigoprazim said in [IPSec] VPN with Multi Subnets:

Split Connections

Is Split Connections enabled on both sides? Did you restarted the ipsec service and reconnected the tunnel?
The SPD table looks strange.

Company 1 SPD:
There is nothing for 172.16.10....

Company 2 SPD:
Why the hell is the tunnel endpoint 10.10.0.2 for outbound 172.16.10... network?!

Maybe restart the hole pfsense on both sides and double check the phase 2 configuration. If nothing helps post the phase 2 configuration screenshots here.

rodrigoprazim · Jul 12, 2018, 9:54 AM

Thanks for answering. Followed photos as requested.

Company 1:
🔒 Log in to view 🔒 Log in to view 🔒 Log in to view

Company 2:
🔒 Log in to view 🔒 Log in to view 🔒 Log in to view

Be remembering, the server was stopped on both sides and then started.

dave.opc · Jul 23, 2018, 1:05 PM

You have to create 2(two) P2's on both sides
currently you have only 1 P2 created at Company1 side. Add another P2 with local 172.16.0.0 and remote 172.16.10.0

rodrigoprazim · Jul 23, 2018, 3:20 PM

This post is deleted!

rodrigoprazim · Jul 23, 2018, 3:38 PM

@dave-opc said in [IPSec] VPN with Multi Subnets:

You have to create 2(two) P2's on both sides
currently you have only 1 P2 created at Company1 side. Add another P2 with local 172.16.0.0 and remote 172.16.10.0

It is not possible, or do not leave system add 2 p2 with the same configuration, already tried this.

dave.opc · Jul 23, 2018, 3:58 PM

It is possible, and it will not be with the same configuration

On Company2 you create 1st P2 with local 172.16.0.0 and remote 172.16.10.0 and create 2nd P2 with local 172.16.0.0 and remote 172.16.4.0
On Company1 you create 1st P2 with local 172.16.4.0 and remote 172.16.0.0 and create 2nd P2 with local 172.16.10.0 and remote 172.16.0.0

rodrigoprazim · Jul 23, 2018, 4:04 PM

@dave-opc said in [IPSec] VPN with Multi Subnets:

It is possible, and it will not be with the same configuration

I understand what you mean, unfortunately now I can not fiddle with why the VPN is in production, as soon as I do, I'll post it. Thanks for answering.

rodrigoprazim · Jul 24, 2018, 8:35 PM

@dave-opc said in [IPSec] VPN with Multi Subnets:

It is possible, and it will not be with the same configuration

On Company2 you create 1st P2 with local 172.16.0.0 and remote 172.16.10.0 and create 2nd P2 with local 172.16.0.0 and remote 172.16.4.0
On Company1 you create 1st P2 with local 172.16.4.0 and remote 172.16.0.0 and create 2nd P2 with local 172.16.10.0 and remote 172.16.0.0

I had tried this, but I was forgetting to change the output interface of Company 1, that is, I was making a faithful copy of the existing P2, a lot of my attention, thank you for helping me.