Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Routing with 2 VPNs with same Subnet behind Network

    Scheduled Pinned Locked Moved Routing and Multi WAN
    3 Posts 2 Posters 706 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dynw
      last edited by

      Hi

      I have a problem that i have to solve.
      We have a pfsense 2.3.4p1 Firewall on Main Site and 2 ZyWall 60 on the Costumer Site. We have a IPSec VPN Tunnel for each of the ZyWall 60, this works fine.
      But on the LAN (10.0.1.0/24) we have 2 Terminal-Servers, 1 of them have to connect to the Webserver 10.200.201.3/24 behind the LAN 10.0.2.0/24 and the other Terminal-Server have to connect to the Webserver 10.200.201.3/24 behind the LAN 10.0.3.0/24. I know that i have to do a second Phase 2 on the IPSec Connections, but how I can define that Terminal-Server A have to go to the IPSec Tunnel 10.0.2.0/24 and the Terminal-Server B have to go to the IPSec Tunnel 10.0.3.0/24? I have two times the same rule in the Phase 2 (Local Subnet: 10.0.1.0/24 to Remote Subnet: 10.200.201.0/24).

      Terminal-Server A-(10.0.1.5)–-----|                                                      |---------ZyWall60----------10.0.2.0/24--------10.200.201.0/24----Webserver-(10.200.201.3)
                                                          |----10.0.1.0/24 --pfsense---WAN----|
      Terminal-Server B-(10.0.1.6)-------|                                                      |---------ZyWall60----------10.0.3.0/24--------10.200.201.0/24----Webserver-(10.200.201.3)

      Best regards
      dynw

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Huh??

        So this customer site has duplicated network 10.200.201/24… And this is downstream of a 10.0.x network? This is not just a transit network?  There are hosts on these 10.0.x networks?

        What I would do is fix the customers site ;)  Makes no sense as drawn..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • D
          dynw
          last edited by

          Hi johnpoz

          Thanks for your reply.
          Yes on the Network 10.0.x are hosts. But this are two different customers and I don't can change the Subnet 10.200.201.0/24. I have draw another picture.
          I think, we need a policy based routing with the possibility to define Gataways on the IPSec Interface.

          ![pfsense routing.jpg](/public/imported_attachments/1/pfsense routing.jpg)
          ![pfsense routing.jpg_thumb](/public/imported_attachments/1/pfsense routing.jpg_thumb)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.