Site2pfSsense2Site



  • Hi all,

    Let me explain my setup and then tell you what is going wrong. Then you have some sense of the network :) FYI: this is a very complex system simplified ;)

    I have site A there is a Hillstone, located there. It connects to site B where is have pfSense latest version. Subnet A 192.168.100.0/24 is located @ site A. Site B doesn't have a Subnet, But Site C (Juniper) does 192.168.200.0/24 which also has a ipsec connection to site B. Only IKEv2 is used. So i have the following setting:

    Site A(Hillstone) < - > Site B(pfSense) < - > Site C (Juniper)
    Subnets on ipsec from A to B : L:192.168.100.0/24 == R:192.168.200.0/24
    Subnets on ipsec from B to C : L:192.168.200.0/24 == R:192.168.100.0/24

    This sort off works but not all protocols work going from A to C. In the pfSense logs i found that it has trouble with host A -> host C on protocol: TCP:A, now as far as i have read online the fix for this is to use sloppy state tables. But the fun doesn't end there ;D. Because if i use sloppy state tables then i have the following error host C -> host A on protocol TCP:SA  :o

    For different reasons i can't make a ipsec from site A directly to site C.
    I was considering just using random subnets between the site's and building GRE tunnels over which i can setup a routing protocol(OSPF/BGP/etc.) then it shouldn't have this issues. But for now i would like to stick with this setup. if theres anyone that can point me in a direction where to look to fix this problem, i would really appreciate it  8)

    FYI:
    with tcpdump on the pfSense host B i can see that some packets are coming from 1 SPI session going and leaving through another SPI session and vice versa ofc. Ping etc also works but that's because it isn't a statefull protocol.

    Kind regards,
    TheSec


Log in to reply