Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec traffic over multiple tunnels

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      geyser
      last edited by

      I have PFSense boxes at 4 different sites, each site has its own 192.168.?.0/24 address space (a Class C for each site essentially).

      Each site has a direct IPsec connection to each other.

      192.168.214.0 - Dallas
      192.168.43.0 - Baltimore
      192.168.48.0 - Phoenix
      192.168.81.0 - Kansas City

      Now I want to add IKEv2 VPN connections from Windows 10 machines connecting to our Dallas PFSense box.  I found this how-to set it up:  IKEv2 VPN for Windows 10 and OSX - HOW-TO!

      Much to my amazement - it worked first time out of the box (how often does that ever happen?!?!).

      I generated the certificates and have the Dallas box issue a 172.16.85.0 address to mobile clients.  My first client normally gets 172.16.85.1.

      According to the tutorial I setup a route like this:

      Add-VpnConnectionRoute -ConnectionName "VPN_DALLAS" -DestinationPrefix 192.168.214.0/24 -PassThru

      So that means any traffic that with a destination on 192.168.214.0 should get pushed over the VPN.  That works, I can reach anything at our Dallas network.

      Now the next step is where I run into issues.  I assumed since I was connected to the VPN I could connect to any address in the VPN network through Dallas.

      So I removed the routing rule, and added this one:

      Add-VpnConnectionRoute -ConnectionName "VPN_DALLAS" -DestinationPrefix 192.168.0.0/16 -PassThru

      I assumed it would then route all traffic for 192.168.0.0 over the VPN and then the PFSense box would take care of routing the traffic to Baltimore, Phoenix, Kansas City or Dallas.

      Unfortunately no luck.

      Do I have to setup some crazy routing at each site to make this work?  Am I going about this totally the wrong way?

      Geyser

      1 Reply Last reply Reply Quote 0
      • J
        jammcla
        last edited by

        If you are doing IPSEC Tunnels for you Phase 2 connections to your other sites, then you will have to add another Phase 2 to allow your VPN traffic to go to the other sites.

        So from Dallas the local network would be the VPN subnet(172.16.85.0 network) and the remote would be the other sites.

        1 Reply Last reply Reply Quote 0
        • G
          geyser
          last edited by

          Ok, so let me see if I have this right.

          From the Dallas data center where I have the mobile clients connecting, if I want to have the mobile clients to be able to route traffic to Phoenix I would need to create a 2nd Phase 2 entry on the existing VPN link to Phoenix?

          From Dallas to Phoenix I have an IPSec link already, it routes LAN traffic to 192.168.48.0/24 over the Phoenix link.

          So in order to get my Mobile Client network to go to Phoenix I add a 2nd Phase 2 rule that routes anything from 172.16.85.0/24 that is trying to reach 192.168.48.0/24.

          See the attached which shows the addition I made.  Is that what you are suggesting is needed?

          Phase2.gif
          Phase2.gif_thumb

          1 Reply Last reply Reply Quote 0
          • J
            jammcla
            last edited by

            Yes, that looks right.  Also Remember to add firewall rules allowing the traffic over the IPSEC link.

            Using tunnel mode on IPSEC will do the routing between the pfSense boxes.  You will just have to push the routes to the clients.  I haven't dealt with mobile clients and IPSEC in a few years, but I would guess if you try passing the /16 for routing it would work now.

            Then thinking about it for a bit:

            Also you will want to check the Phase 2 of the VPN connection to the mobile clients that the Local network represents all of your sites. so might have to change that to a /16 as well.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.