Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site2pfSsense2Site

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 594 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      TheSec
      last edited by

      Hi all,

      Let me explain my setup and then tell you what is going wrong. Then you have some sense of the network :) FYI: this is a very complex system simplified ;)

      I have site A there is a Hillstone, located there. It connects to site B where is have pfSense latest version. Subnet A 192.168.100.0/24 is located @ site A. Site B doesn't have a Subnet, But Site C (Juniper) does 192.168.200.0/24 which also has a ipsec connection to site B. Only IKEv2 is used. So i have the following setting:

      Site A(Hillstone) < - > Site B(pfSense) < - > Site C (Juniper)
      Subnets on ipsec from A to B : L:192.168.100.0/24 == R:192.168.200.0/24
      Subnets on ipsec from B to C : L:192.168.200.0/24 == R:192.168.100.0/24

      This sort off works but not all protocols work going from A to C. In the pfSense logs i found that it has trouble with host A -> host C on protocol: TCP:A, now as far as i have read online the fix for this is to use sloppy state tables. But the fun doesn't end there ;D. Because if i use sloppy state tables then i have the following error host C -> host A on protocol TCP:SA  :o

      For different reasons i can't make a ipsec from site A directly to site C.
      I was considering just using random subnets between the site's and building GRE tunnels over which i can setup a routing protocol(OSPF/BGP/etc.) then it shouldn't have this issues. But for now i would like to stick with this setup. if theres anyone that can point me in a direction where to look to fix this problem, i would really appreciate it  8)

      FYI:
      with tcpdump on the pfSense host B i can see that some packets are coming from 1 SPI session going and leaving through another SPI session and vice versa ofc. Ping etc also works but that's because it isn't a statefull protocol.

      Kind regards,
      TheSec

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.