network subnet access between multiple tunnel

viragomann

So add a phase 2 to each IPSec tunnel, each on both sides.

On site A:
Local network: 192.168.1.0/24
Remote network:10.222.32.0/24
Do the same on pfSense A tunnel, but with inverted networks.

On B:
Local network:10.222.32.0/24
Remote network:192.168.1.0/24
And also again on the pfSense with exchanging the networks.

hasan_ciit

@viragomann Thanx i will add and let u know if get sucess

dr8g0ns

You may have to redesign your vpn tunnels to use Virtual tunnel interfaces (VTI's). then you can route between sites.

stephenw10

You can carry that traffic with policy based IPSec as long as you have policies that match the traffic across each link.
Exactly like viragomann laid out.

Steve

hasan_ciit

@stephenw10 said in network subnet access between multiple tunnel:

ch the traffic across e

Dear Sir,
But how i can use policy based routing?
Will i use tunnel mode as routed vti?

hasan_ciit

@viragomann Is it possible without adding phase as i dont have access on other site so can i use nat binat?

stephenw10

So you have access to Site A and the Azure pfSense only? And can make changes to both?

Are the firewalls at sites A and B also pfSense?

Steve

hasan_ciit

@stephenw10 No Sir i don't have access to other site and both site are not pfsense
Can you guide me when to use nat option?

stephenw10

Are you at site A trying to reach site B?

You could add a second P2 on pfSense to Site B and NAT traffic to a single IP inside the subnet it expects. That might work depending on what's on the other end. But it might not.

You would still need to get the traffic from site A to Azure though and that would require an extra P2 at both ends.

You could instead use a proxy of some sort running in Azure. Even something like an OpenVPN server there would allow you to reach Site B.

Steve

hasan_ciit

@stephenw10 Please Stephen help me to solve this issue
My design is:

clients----ipsec tunnel------>pfsense connected
Pfsense----------------ipsec tunnel---------------->azure cloud connected
i have zabbix nms at azure that is using 90.11.x.x subnet
Pfsense is using 90.14.x.x subnet
90.11.x.x subnet<---------------peering---------------->pfsense 90.14.x.x
90.11.x.x subnet<---------------ipsec tunnel--------->pfsense 90.14.x.x

Now i want that zabbix 90.11.x.x can reach to our clients LAN and monitor networks that are connected directly with pfsense currently

I dont want to add phase at client end as i don't have access

How i can establish connectivity like given below:

AZURE Cloud 90.11.x.x subnet<----------ipsec tunnel-------->pfsense 90.14.x.x---------------<ipsec tunnels>----------clients

Plz help me to resolve this issue
Thanks in advance

stephenw10

@hasan_ciit said in network subnet access between multiple tunnel:

i have pfsense at azure cloud

@hasan_ciit said in network subnet access between multiple tunnel:

i have zabbix nms at azure

Are both those things true?

Without adding any additional P2s anywhere or using some sort of proxy at the pfSense site I don't think this is possible.

Even with adding one P2 you could NAT the connection on one leg but that would then only allow opening connections in one direction and I believe Zabbix usually requires both.

Steve