(Solved) Setting up multiple IPsec VPNs
-
pfSense 2.1.5
I have two branch offices with the same subnet - 192.168.1.0/24
Both branches need to connect to the same HQ office at IP 198.145.XXX.YYY
Branch A has a server at 10.10.10.21/30
Branch B has a server at 10.10.10.28/30
I don't want communication between branches.
Branches have SonicWALL devices.I have been running the first branch fine for months; no issues. With the addition of the second branch I get trouble.
In the HQ pfSense, Firewall, Rules, IPsec I have a destination set to the specific server this branch needs to access (10.10.10.21/30) When I created the second rule I realized I had to make a determination that this branch needs to only access their server at 10.10.10.28/30. Since both offices have the same subnet, I can't set a rule up that says source = 192.168.1.0/24.What is the best way to handle this? Do I need to setup an external IP for each branch at the HQ and IPsec tunnel to that? Do I change a port…?
Thanks.
-
pfSense 2.1.5
I have two branch offices with the same subnet - 192.168.1.0/24
Oops.
Both branches need to connect to the same HQ office at IP 198.145.XXX.YYY
Branch A has a server at 10.10.10.21/30
Branch B has a server at 10.10.10.28/30
I don't want communication between branches.
Branches have SonicWALL devices.I have been running the first branch fine for months; no issues. With the addition of the second branch I get trouble.
In the HQ pfSense, Firewall, Rules, IPsec I have a destination set to the specific server this branch needs to access (10.10.10.21/30) When I created the second rule I realized I had to make a determination that this branch needs to only access their server at 10.10.10.28/30. Since both offices have the same subnet, I can't set a rule up that says source = 192.168.1.0/24.What is the best way to handle this? Do I need to setup an external IP for each branch at the HQ and IPsec tunnel to that? Do I change a port…?
Thanks.
As far as I know, at least one of the SonicWALLs will have to 1:1 NAT their LAN and present it as something else so pfSense doesn't have two routes to the same subnet.
That or renumber one of them.
-
Thanks!
So, to summarize - all IPsec tunnels have to have a unique subnet on the "distant"/client side when looking at the subnet from the pfSense/HQ/server side. Is that right?
As far as 2.1.5 - I had big problems upgrading from 2.1.5 to some 2.2 version a while back and had to restore back from an image taken before the upgrade. I know - I need to update that sucker.
-
Yes, all remote sides need to have different subnets. In your case you would have 3
VPN Core - Subnet #1
Remote Site 1 - Subnet #2
Remote Site 2 - Subnet #3There might be some ugly hacks to make it work, if it were me i would just re-subnet/ip the site.
-
Thank you all for the assistance. I did change the subnet on one of the branch offices and all went smooth after that.
Thanks. :)