IPSEC Client -> Site-to-Site VPN via PFsense

mdonner

Dear volks,

This is my first post so don't blame me :) I have the following situation:

• Windows Clients connects via Shrew Soft VPN Client to my PFsense (IPSEC / virtual IP Range therefore is 10.10.10.0/24)
• A Fortigate connects via IPSEC site-to-site into my PFsense (and has the network 192.168.90.0/24)
• my local network is 172.10.10.0/24  (where the PFsense sit in)

The goal is to be able to connect the Windows client to my PFsense and be able to access the 192.168.90.0/24 network

Actual i'm able to open the IPSEC from the windows client and access my local network (172.10.10.0)

I tried several things that should fix the issue, without success. Now i ask the pro's here … what would help is to know

• what firewall rules needs to be in place
• actual i'm doing NAT on all tunnel - is this ok?

sidenote: if i try to get the accessable networks by the windows client (route print) i do not get the 192.168.90.0 network provided (the local network 172.10.10.0 is provided) . I added them manual in the Shrew Soft Client ....

Thanks for everybody to support me on this!

BR,
Matthias

jimp

You need to setup Phase 2 entries for the extra network, so:

On Mobile P1, you need a P2 for 192.168.90.0/24 and 172.10.10.0/24
On the Fortigate IPsec tunnel P1, you need a P2 to cover 10.10.10.0/24 <-> 192.168.90.0/24 (on both pfSense and the Fortigate!)

And you also have to pass that traffic in IPsec tab firewall rules

mrcola

@jimp:

You need to setup Phase 2 entries for the extra network, so:

On Mobile P1, you need a P2 for 192.168.90.0/24 and 172.10.10.0/24
On the Fortigate IPsec tunnel P1, you need a P2 to cover 10.10.10.0/24 <-> 192.168.90.0/24 (on both pfSense and the Fortigate!)

And you also have to pass that traffic in IPsec tab firewall rules

Hi Admin

I have got the similar setup

site to site IPsec VPN both running PFsense 2.3.2_p1 (192.168.50.0/24 and 192.168.70.0/24) and a mobile ipsec endpoint (192.168.71.0/24), my goal is to allow mobile ipsec users to access both sites.

Now I have got the following setup

Mobile P2 192.168.70.0/24 and 192.168.50.0/24
Site to Site P2 192.168.70.0/23 (cover both 0.70 and 0.71) <->192.168.50.0/24

So far the user which has 192.168.71.1 (Android native IPsec client) can access 192.168.70.0/24 but not the 192.168.50.0/24. The firewall rules in IPsec are set to allow all.

Here is the tracert from a Win box in the 192.168.50.0/24 subnet (192.168.50.2 is the pfsense Lan IP)

tracert 192.168.70.2

Tracing route to 192.168.70.2 over a maximum of 30 hops

1    <1 ms    <1 ms    <1 ms  192.168.50.2
  2    7 ms    7 ms    6 ms  192.168.70.2

tracert 192.168.71.1

Tracing route to 192.168.71.1 over a maximum of 30 hops

1    <1 ms    <1 ms    <1 ms  192.168.50.2
  2    *        *        *    Request timed out.
  3    *        *        *    Request timed out.
  4  ^C

In the firewall states I can see some traffics so I guess PFsense doesn't know where to send traffic back

Please advise

Thanks

mdonner

Hey all,

Exactly the same here, adding a second PH2 network isn't fixing my issue. Either the mobile client don't know how to reach the other IPSEC-Destination. On Fortigate you can define static routes and each ipsec-connection can be added as "source device". Unfortunately this is working not the same on pfsene. What i'm missing is a way to tell a pfsense static route to use a IPSEC connection as "gateway". If anybody can shed some light into this issue i would really appreciate.

BR,
Matthias

mrcola

Hi

Figured out a workaround myself.

On mobile P1 add a P2 to route everything 0.0.0.0/0. And I am using Android built in VPN client which can define what range of IPs to go through with VPN

site to site P2s are needed as suggested

Thanks