IPSEC single host Phase 2

netnewb

Hi,

I don't have experience with IPSEC. Here's the short version: host on Site A, can connect to the LAN subnet on site B, even though there's no Phase 2 entry for it.

I have 2 x SG-2220 pfsense version 2.3.4 and I'm trying to make an IPSEC connection between them. They are on different public IPs.

Simplified network diagram:

Site A LAN subnet: 192.168.1.0/24
Site B LAN subnet: 192.168.2.0/24

NAS on site A: 192.168.1.1
NAS on site B: 192.168.2.1

I want to connect some laptops from the 2 different sites to the 2 NAS boxes, but I don't want other network devices to communicate through the IPSEC tunnel. I know I can make rules for that, but I want to understand how this works.

Phase 1 seems to work properly and I've setup P2 like this:

Site A:
Local Subnet          Remote Subnet
LAN                        192.168.2.1
192.168.1.1            192.168.2.0/24

Site B:
Local subnet          Remote Subnet
LAN                      192.168.1.1
192.168.2.1          192.168.1.0/24

Now all I'd have to do, is create firewall rules to allow incoming traffic from different hosts to the NAS.

During setup, I created a firewall rule on site B to allow traffic from 192.168.1.2 (a laptop) to any.

I can access any host on site B from 192.168.1.2, for example from 192.168.1.2 to 192.168.2.10.

Is this normal?