IPSEC Client -> Site-to-Site VPN via PFsense
-
Dear volks,
This is my first post so don't blame me :) I have the following situation:
- Windows Clients connects via Shrew Soft VPN Client to my PFsense (IPSEC / virtual IP Range therefore is 10.10.10.0/24)
- A Fortigate connects via IPSEC site-to-site into my PFsense (and has the network 192.168.90.0/24)
- my local network is 172.10.10.0/24 (where the PFsense sit in)
The goal is to be able to connect the Windows client to my PFsense and be able to access the 192.168.90.0/24 network
Actual i'm able to open the IPSEC from the windows client and access my local network (172.10.10.0)
I tried several things that should fix the issue, without success. Now i ask the pro's here … what would help is to know
- what firewall rules needs to be in place
- actual i'm doing NAT on all tunnel - is this ok?
sidenote: if i try to get the accessable networks by the windows client (route print) i do not get the 192.168.90.0 network provided (the local network 172.10.10.0 is provided) . I added them manual in the Shrew Soft Client ....
Thanks for everybody to support me on this!
BR,
Matthias -
You need to setup Phase 2 entries for the extra network, so:
On Mobile P1, you need a P2 for 192.168.90.0/24 and 172.10.10.0/24
On the Fortigate IPsec tunnel P1, you need a P2 to cover 10.10.10.0/24 <-> 192.168.90.0/24 (on both pfSense and the Fortigate!)And you also have to pass that traffic in IPsec tab firewall rules
-
You need to setup Phase 2 entries for the extra network, so:
On Mobile P1, you need a P2 for 192.168.90.0/24 and 172.10.10.0/24
On the Fortigate IPsec tunnel P1, you need a P2 to cover 10.10.10.0/24 <-> 192.168.90.0/24 (on both pfSense and the Fortigate!)And you also have to pass that traffic in IPsec tab firewall rules
Hi Admin
I have got the similar setup
site to site IPsec VPN both running PFsense 2.3.2_p1 (192.168.50.0/24 and 192.168.70.0/24) and a mobile ipsec endpoint (192.168.71.0/24), my goal is to allow mobile ipsec users to access both sites.
Now I have got the following setup
Mobile P2 192.168.70.0/24 and 192.168.50.0/24
Site to Site P2 192.168.70.0/23 (cover both 0.70 and 0.71) <->192.168.50.0/24So far the user which has 192.168.71.1 (Android native IPsec client) can access 192.168.70.0/24 but not the 192.168.50.0/24. The firewall rules in IPsec are set to allow all.
Here is the tracert from a Win box in the 192.168.50.0/24 subnet (192.168.50.2 is the pfsense Lan IP)
tracert 192.168.70.2
Tracing route to 192.168.70.2 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.50.2
2 7 ms 7 ms 6 ms 192.168.70.2tracert 192.168.71.1
Tracing route to 192.168.71.1 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.50.2
2 * * * Request timed out.
3 * * * Request timed out.
4 ^CIn the firewall states I can see some traffics so I guess PFsense doesn't know where to send traffic back
Please advise
Thanks
-
Hey all,
Exactly the same here, adding a second PH2 network isn't fixing my issue. Either the mobile client don't know how to reach the other IPSEC-Destination. On Fortigate you can define static routes and each ipsec-connection can be added as "source device". Unfortunately this is working not the same on pfsene. What i'm missing is a way to tell a pfsense static route to use a IPSEC connection as "gateway". If anybody can shed some light into this issue i would really appreciate.
BR,
Matthias -
Hi
Figured out a workaround myself.
On mobile P1 add a P2 to route everything 0.0.0.0/0. And I am using Android built in VPN client which can define what range of IPs to go through with VPN
site to site P2s are needed as suggested
Thanks