[IPSec] VPN with Multi Subnets

bepo

Hello,

are both firewalls pfSense?
Please show some logs. What is the status on the status page? Especially SAD/SPD page?

Try to enable "Split connections" in phase 1 configuration.

Kind regards

rodrigoprazim

Following the images as requested, as images were after a change of "Split Connections"

Company 1:

Company 2:

Thanks for your help.

Kind regards.

bepo

@rodrigoprazim said in [IPSec] VPN with Multi Subnets:

Split Connections

Is Split Connections enabled on both sides? Did you restarted the ipsec service and reconnected the tunnel?
The SPD table looks strange.

Company 1 SPD:
There is nothing for 172.16.10....

Company 2 SPD:
Why the hell is the tunnel endpoint 10.10.0.2 for outbound 172.16.10... network?!

Maybe restart the hole pfsense on both sides and double check the phase 2 configuration. If nothing helps post the phase 2 configuration screenshots here.

rodrigoprazim

Thanks for answering. Followed photos as requested.

Company 1:

Company 2:

Be remembering, the server was stopped on both sides and then started.

dave.opc

You have to create 2(two) P2's on both sides
currently you have only 1 P2 created at Company1 side. Add another P2 with local 172.16.0.0 and remote 172.16.10.0

rodrigoprazim

This post is deleted!

rodrigoprazim

@dave-opc said in [IPSec] VPN with Multi Subnets:

You have to create 2(two) P2's on both sides
currently you have only 1 P2 created at Company1 side. Add another P2 with local 172.16.0.0 and remote 172.16.10.0

It is not possible, or do not leave system add 2 p2 with the same configuration, already tried this.

dave.opc

It is possible, and it will not be with the same configuration

On Company2 you create 1st P2 with local 172.16.0.0 and remote 172.16.10.0 and create 2nd P2 with local 172.16.0.0 and remote 172.16.4.0
On Company1 you create 1st P2 with local 172.16.4.0 and remote 172.16.0.0 and create 2nd P2 with local 172.16.10.0 and remote 172.16.0.0

rodrigoprazim

@dave-opc said in [IPSec] VPN with Multi Subnets:

It is possible, and it will not be with the same configuration

I understand what you mean, unfortunately now I can not fiddle with why the VPN is in production, as soon as I do, I'll post it. Thanks for answering.

rodrigoprazim

@dave-opc said in [IPSec] VPN with Multi Subnets:

It is possible, and it will not be with the same configuration

On Company2 you create 1st P2 with local 172.16.0.0 and remote 172.16.10.0 and create 2nd P2 with local 172.16.0.0 and remote 172.16.4.0
On Company1 you create 1st P2 with local 172.16.4.0 and remote 172.16.0.0 and create 2nd P2 with local 172.16.10.0 and remote 172.16.0.0

I had tried this, but I was forgetting to change the output interface of Company 1, that is, I was making a faithful copy of the existing P2, a lot of my attention, thank you for helping me.