IPSec Tunneling Between 3 Different Sites



  • Dear all,

    I need some help to shed me some lights over an IPsec tunneling. Here I will explain on my current setup.

    Site A <–-----IPSEC------> Site B (HUB) <------IPSEC------> Site C
    10.1.1.1/24                10.2.2.1/24                    10.3.3.1/24

    Tunneling from Site A to Site B & Site B to Site C are working fine. However Site A is not able to reach Site C directly and vice versa.

    On Site A the phase 2 entry:
    Local: LAN Subnet
    Nat / Binat: None
    Remote: Network (10.2.2.1/24)

    On Site C the phase 2 entry:
    Local: LAN Subnet
    Nat / Binat: None
    Remote: Network (10.2.2.1/24)

    On Site B there are 2 IPSec Tunnels:

    1. Site A Phase 2 entry:
      Local: LAN Subnet
      Nat: None
      Remote: Network (10.1.1.1/24)

    2. Site C Phase 2 entry:
      Local: LAN Subnet
      Nat: None
      Remote: Networ (10.3.3.1/24)

    Note: FYI we do not have the access to Site C. Therefore any adjustment only could NOT be made on Site A and Site B.

    Kindly let me know if you may require any other information. Thank you in advance.


  • Netgate

    Obviously you need to add Phase 2 entries for 10.1.1.0/24 === 10.3.3.0/24 on both IPsec connections and make sure the firewall rules on IPsec pass the necessary traffic.



  • Dear Derelict,

    Thank you for your reply. Yes i agree by adding another phase 2 entry on both sites will makes the goal. However unfortunately we do not have access to the site C (10.3.3.1/24) to add phase 2 entry. Therefore we are thinking any other method may accomplish the same goal (eg: Nat/Binat). Really appreciate any help on resolving the puzzle.


  • Netgate

    Then you're pretty much out of luck. Successful IPsec generally requires cooperation from all parties on all sides.

    Perhaps if you narrowed the scope from the entire /24 networks to some specific traffic that needs to be passed something could be done, but as it is, no.



  • Thank you Derelict.

    Appreciate if you could torch me some light by narrowing down the scope to some specific traffic that needs to be passed. By other mean, is it possible to do a double one-to-one NAT at Site B so that we can "map" the IP address space of Site A into Site B, and the address space of Site C into Site B.

    [10.1.1.x]->IPSEC->[10.2.2.x] NAT [10.2.2.x]->IPSEC->[10.3.3.x] and the other way around.

    Please advise if the above is doable. Thank you in advance.


  • Netgate

    Yes, it would be possible if the Phase 2 traffic selector you can't change was a /23 and you wanted a /24 at each site, but you are going to have to detail what you want to see given the scenario you have explained so far.



  • My goal is the network from Site A (10.1.1.x/24) able to reach the network at Site C (10.3.3.x/24) regardless the traffic from A will be NAT to site B and will carry the IP Site B (10.2.2.x/24) instead. Also the same for Site C whereby it will carry the Site B IP in order to communicate with network on Site A.

    Site A (10.1.1.x/24)<–---------> Site B (10.2.2.x/24) <-----------> Site C (10.3.3.x/24)
                                  IPSEC & NAT                              IPSEC & NAT

    Probably the above illustration perhaps may give you some idea. Thank you in advance.