Route one site over IPsec
-
Howdy All!
I was reading the excellent instructions: Routing Internet Traffic Through a Site-to-Site IPsec VPN but I have a different use case.
I need to route only one Website/IP over the IPsec tunnel. It's actually kind of the reverse, my new main office ("Site B" in the doc) is not whitelisted on a supplier portal and therefore, not reachable. My old office (still in use with its old, whitelisted IP, but no longer the main ISP connection). We have submitted a ticket to site owner, but the guy who can make the changes is not available for some time.
Problem is: My new main office ("Site B") has several IPsec Tunnels and several Phase 2 setups to distinct private networks (several other "Site A" sites all with distinct LANs). All need to communicate with the DCs and Exchange Server at Site B.
I am not opposed to routing all internet traffic to our old office for a while, but as I read the instructions, by creating a Phase 2 with 0.0.0.0/0 - I would effectively eliminate all my other Phase 2 connections.
How can I get just one site/IP to route from Site B through the tunnel and use the internet at one of the Site A's? Sonicwall has a solution, but I need to know how in pfSense?
THX in ADV,
-JB -
You could do this by setting up a VTI based IPSEC tunnel between both sites, and then routing the IP address of the websites you want to reach over the tunnel.
Docs here: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ipsec-routed.html -
@awebster so what you are suggesting is that I would create the VTI Phase 2 in addition to the normal Phase 2 from Site B to the Site A WAN I would want to use?
-
@unsichtbarre No, I don't think you can create a phase 2 VTI and a legacy phase 2 under the same phase 1.
You would need to create a new VTI based IPSEC tunnel between sites A and B and use that exclusively.
Although it might be possible to run parallel IPSEC tunnels if the endpoint IP is different at one end or the other.