IPsec traffic over multiple tunnels
I have PFSense boxes at 4 different sites, each site has its own 192.168.?.0/24 address space (a Class C for each site essentially).
Each site has a direct IPsec connection to each other.
192.168.214.0 - Dallas
192.168.43.0 - Baltimore
192.168.48.0 - Phoenix
192.168.81.0 - Kansas City
Now I want to add IKEv2 VPN connections from Windows 10 machines connecting to our Dallas PFSense box. I found this how-to set it up: IKEv2 VPN for Windows 10 and OSX - HOW-TO!
Much to my amazement - it worked first time out of the box (how often does that ever happen?!?!).
I generated the certificates and have the Dallas box issue a 172.16.85.0 address to mobile clients. My first client normally gets 172.16.85.1.
According to the tutorial I setup a route like this:
Add-VpnConnectionRoute -ConnectionName "VPN_DALLAS" -DestinationPrefix 192.168.214.0/24 -PassThru
So that means any traffic that with a destination on 192.168.214.0 should get pushed over the VPN. That works, I can reach anything at our Dallas network.
Now the next step is where I run into issues. I assumed since I was connected to the VPN I could connect to any address in the VPN network through Dallas.
So I removed the routing rule, and added this one:
Add-VpnConnectionRoute -ConnectionName "VPN_DALLAS" -DestinationPrefix 192.168.0.0/16 -PassThru
I assumed it would then route all traffic for 192.168.0.0 over the VPN and then the PFSense box would take care of routing the traffic to Baltimore, Phoenix, Kansas City or Dallas.
Unfortunately no luck.
Do I have to setup some crazy routing at each site to make this work? Am I going about this totally the wrong way?
If you are doing IPSEC Tunnels for you Phase 2 connections to your other sites, then you will have to add another Phase 2 to allow your VPN traffic to go to the other sites.
So from Dallas the local network would be the VPN subnet(172.16.85.0 network) and the remote would be the other sites.
Ok, so let me see if I have this right.
From the Dallas data center where I have the mobile clients connecting, if I want to have the mobile clients to be able to route traffic to Phoenix I would need to create a 2nd Phase 2 entry on the existing VPN link to Phoenix?
From Dallas to Phoenix I have an IPSec link already, it routes LAN traffic to 192.168.48.0/24 over the Phoenix link.
So in order to get my Mobile Client network to go to Phoenix I add a 2nd Phase 2 rule that routes anything from 172.16.85.0/24 that is trying to reach 192.168.48.0/24.
See the attached which shows the addition I made. Is that what you are suggesting is needed?
Yes, that looks right. Also Remember to add firewall rules allowing the traffic over the IPSEC link.
Using tunnel mode on IPSEC will do the routing between the pfSense boxes. You will just have to push the routes to the clients. I haven't dealt with mobile clients and IPSEC in a few years, but I would guess if you try passing the /16 for routing it would work now.
Then thinking about it for a bit:
Also you will want to check the Phase 2 of the VPN connection to the mobile clients that the Local network represents all of your sites. so might have to change that to a /16 as well.