IPSEC Client -> Site-to-Site VPN via PFsense



  • Dear volks,

    This is my first post so don't blame me :) I have the following situation:

    • Windows Clients connects via Shrew Soft VPN Client to my PFsense (IPSEC / virtual IP Range therefore is 10.10.10.0/24)
    • A Fortigate connects via IPSEC site-to-site into my PFsense (and has the network 192.168.90.0/24)
    • my local network is 172.10.10.0/24  (where the PFsense sit in)

    The goal is to be able to connect the Windows client to my PFsense and be able to access the 192.168.90.0/24 network

    Actual i'm able to open the IPSEC from the windows client and access my local network (172.10.10.0)

    I tried several things that should fix the issue, without success. Now i ask the pro's here … what would help is to know

    • what firewall rules needs to be in place
    • actual i'm doing NAT on all tunnel - is this ok?

    sidenote: if i try to get the accessable networks by the windows client (route print) i do not get the 192.168.90.0 network provided (the local network 172.10.10.0 is provided) . I added them manual in the Shrew Soft Client ....

    Thanks for everybody to support me on this!

    BR,
    Matthias


  • Rebel Alliance Developer Netgate

    You need to setup Phase 2 entries for the extra network, so:

    On Mobile P1, you need a P2 for 192.168.90.0/24 and 172.10.10.0/24
    On the Fortigate IPsec tunnel P1, you need a P2 to cover 10.10.10.0/24 <-> 192.168.90.0/24 (on both pfSense and the Fortigate!)

    And you also have to pass that traffic in IPsec tab firewall rules



  • @jimp:

    You need to setup Phase 2 entries for the extra network, so:

    On Mobile P1, you need a P2 for 192.168.90.0/24 and 172.10.10.0/24
    On the Fortigate IPsec tunnel P1, you need a P2 to cover 10.10.10.0/24 <-> 192.168.90.0/24 (on both pfSense and the Fortigate!)

    And you also have to pass that traffic in IPsec tab firewall rules

    Hi Admin

    I have got the similar setup

    site to site IPsec VPN both running PFsense 2.3.2_p1 (192.168.50.0/24 and 192.168.70.0/24) and a mobile ipsec endpoint (192.168.71.0/24), my goal is to allow mobile ipsec users to access both sites.

    Now I have got the following setup

    Mobile P2 192.168.70.0/24 and 192.168.50.0/24
    Site to Site P2 192.168.70.0/23 (cover both 0.70 and 0.71) <->192.168.50.0/24

    So far the user which has 192.168.71.1 (Android native IPsec client) can access 192.168.70.0/24 but not the 192.168.50.0/24. The firewall rules in IPsec are set to allow all.

    Here is the tracert from a Win box in the 192.168.50.0/24 subnet (192.168.50.2 is the pfsense Lan IP)

    tracert 192.168.70.2

    Tracing route to 192.168.70.2 over a maximum of 30 hops

    1    <1 ms    <1 ms    <1 ms  192.168.50.2
      2    7 ms    7 ms    6 ms  192.168.70.2

    tracert 192.168.71.1

    Tracing route to 192.168.71.1 over a maximum of 30 hops

    1    <1 ms    <1 ms    <1 ms  192.168.50.2
      2    *        *        *    Request timed out.
      3    *        *        *    Request timed out.
      4  ^C

    In the firewall states I can see some traffics so I guess PFsense doesn't know where to send traffic back

    Please advise

    Thanks



  • Hey all,

    Exactly the same here, adding a second PH2 network isn't fixing my issue. Either the mobile client don't know how to reach the other IPSEC-Destination. On Fortigate you can define static routes and each ipsec-connection can be added as "source device". Unfortunately this is working not the same on pfsene. What i'm missing is a way to tell a pfsense static route to use a IPSEC connection as "gateway". If anybody can shed some light into this issue i would really appreciate.

    BR,
    Matthias



  • Hi

    Figured out a workaround myself.

    On mobile P1 add a P2 to route everything 0.0.0.0/0. And I am using Android built in VPN client which can define what range of IPs to go through with VPN

    site to site P2s are needed as suggested

    Thanks


Log in to reply