Can PFSense support "Encryption Domains"?
-
Hi,
This may be a stupid question - and my searching has come up fairly inconclusive - so any assistance would be appreciated.
I have got an IPSEC tunnel between our internal network and a providers network with the following settings:
Some definitions:
LocalIPs - these are 6 IP's on an internal network range (10.0.100.0/24)
LocalPublic - this is our public IP
RemotePublic - this is the remote public IP
RemoteIPs - there are 6 internal IP's on the remote end on various private networksLocalIPs <-> LocalPublic <-> RemotePublic <-> RemoteIPs
So they require me to use an "Encryption Domain", which I believe would be NAT'ing (as i understand it) all my internal traffic destined for their RemoteIPs as our LocalPublic. I'm not quite sure how to achieve this using PFSense, all my testing so far has resulted in no joy.
Any assistance on how I can do this would be appreciated?
Thanks
Ian -
As far as I know the term "Encription Domain" is a way to call the grouping of networks where you want to apply encryption to. Depending on the system brand the domain may be defined by configuring a group and then inserting the networks there or by defining an ACL (the cisco case) where you put the networks that belong to the domain.
In pfSense you have to define a phase 2 entry for every pair of networks that you want to communicate (10.0.100/24 with <peer local="" network="">in your case). That way you will build a tunnel between both internal, private, networks. Later you can limit visibility to only the given hosts IPs by means of a firewall rule in the VPN.
What happens if the remote peer does not allow you to build the phase 2 against their internal net? Then you will have to build phase 2 entries for each pair of host addresses getting a lot of entries quickly. In your case 6*6 = 36 phase 2 entries if every host in your side should be able to connect to every other host on the remote side. This is the reason that the 'network method' is the preferred one over the 'host method'; and as the remote side must mirror your config they have to create the same number of entries so I bet that going to a 'network method' approach will be enough as there is a lot less work involved.
Hope this help you.
Regards.</peer>
-
Hey Mikee,
Wow - thanks for the response - that is great to have someone who can assist :)
I'm struggling to understand what you mean by "peer local network"? Do you mean the internal IP of the PFsense server?
So my IPSEc would have a phase2 entry for Local Subnet being the 10.0.100.0/24 and Remote subnet the internal IP of the PFSense (so 10.0.100.11?)
Apologies for the probably stupid question :)
Cheers
Ian -
Hi Ian.
The peer local network is the private network(s) behind the REMOTE crypto endpoint (thus the use of 'peer' term). You build a VPN between two endpoints the local and the peer. May bee the use of peer is not fully correct (because you build the VPN link between two peers) but the sense is that I am refering here is to the remote side of the VPN.
It usually include the internal IP where the pfSense belongs to but not necessarily and it can include other networks behind that of the pfSense itself (local networks that are further than the one of the pfSense). You do not need to limit the encryption domain to the pSense net.
Your phase 2 cannot be as you describe because both belong to the same network: 10.0.100.11 is included in 10.0.100.0/24 network. If local net is 10.0.100.0/24 and remote net is 10.0.200.0/24 then you can build a VPN between them. If they are the same network you need to apply source NAT translation to one of the networks. pfSense does this via the NAT/BINAT translation field.
Cheers.