Route VPN traffic through middle man (Site-Site-Site VPN)



  • Hello all.  I'm trying to set up a VPN tunnel through a middleman and I'm wondering if it's possible.  Here is my setup:

    Site 1: 192.168.237.0/24

    Site 2: 10.5.0.0/24 (has an existing IPSec tunnel to Site 1)
    Site 3: 10.5.1.0/24 (has an existing IPSec tunnel to Site 2)

    I'd rather not create a tunnel from Site 3 to Site 1 (I get charged a monthly fee per P1 tunnel to Site 1)

    Is it possible for me to tunnel from Site 3 through Site 2, and access the 192.168.237.0 network from Site 1 without creating a tunnel between Site 1 and Site 3?

    My situation is that Site 1 is a service provider, and Site 2 and 3 are my sites.  Site 1 has opened a P2 for the 10.5.1.0/24 network on the P1 tunnel between Site 1 and Site 2.

    If I create a P2 between 10.5.1.0/24 and 192.168.237.0/24 on the Site 2-Site3 tunnel, theoretically that would route the 192.168.237.0/24 traffic to Site 2.

    Then if I created a P2 between 10.5.1.0/24 and 192.168.237.0/24 on the Site 1-Site 2 tunnel, that should take the Site 3 traffic to Site 1.

    Am I thinking incorrectly?  This isn't working.

    Thanks for any help.




  • It is possible and should work just fine. I did not test this setup myself on the pfSense however use Fortigate in the corporate environment. It is very popular setup where remote sites are connected to central VPN CONCRENTRATOR and that VPN concentrator is responsible for routing between sites. Remote end-points do not have any additional VPN connections to each other…

    Worth trying. Please share your findings after you implement this.


Log in to reply