IPSEC single host Phase 2



  • Hi,

    I don't have experience with IPSEC. Here's the short version: host on Site A, can connect to the LAN subnet on site B, even though there's no Phase 2 entry for it.

    I have 2 x SG-2220 pfsense version 2.3.4 and I'm trying to make an IPSEC connection between them. They are on different public IPs.

    Simplified network diagram:

    Site A LAN subnet: 192.168.1.0/24
    Site B LAN subnet: 192.168.2.0/24

    NAS on site A: 192.168.1.1
    NAS on site B: 192.168.2.1

    I want to connect some laptops from the 2 different sites to the 2 NAS boxes, but I don't want other network devices to communicate through the IPSEC tunnel. I know I can make rules for that, but I want to understand how this works.

    Phase 1 seems to work properly and I've setup P2 like this:

    Site A:
    Local Subnet          Remote Subnet
    LAN                        192.168.2.1
    192.168.1.1            192.168.2.0/24

    Site B:
    Local subnet          Remote Subnet
    LAN                      192.168.1.1
    192.168.2.1          192.168.1.0/24

    Now all I'd have to do, is create firewall rules to allow incoming traffic from different hosts to the NAS.

    During setup, I created a firewall rule on site B to allow traffic from 192.168.1.2 (a laptop) to any.

    I can access any host on site B from 192.168.1.2, for example from 192.168.1.2 to 192.168.2.10.

    Is this normal?


Log in to reply