IPSec mapping from central location

tgreen

Hi, I have 3 pfSense firewalls setup and functioning with IPSec VPNs back to the central firewall
I would like to route subnet traffic from one remote location to another via the central location.
I'm sure this is elementary for many of you, so I apologize in advance!

For example:
Site A (main centerpoint) 10.0.1.0/24
Site B (Remote locale 1) 10.0.2.0/24
Site C (Remote locale 2) 10.0.3.0/24

IPsec VPN Site A <–> Site B
IPsec VPN Site A <--> Site C
I want Site C to access an IP at Site B without making a VPN from B --> C

Right now If I'm on Site A, I can access Site B and Site C
If I move to Site B or Site C, I can only seem to access Site A
Pretty sure this will boil down to NAT routing, but I'm unfamiliar and not finding documentation or tutorials

Any help/guidance would be greatly appreciated!
Thanks in advance!

Derelict

Additional traffic selector (phase 2 entry) between sites A and B and A and C

Site A to Site B
Local Network 10.0.3.0/24
Remote Network 10.0.2.0/24

Site B to Site A
Local Network 10.0.2.0/24
Remote Network 10.0.3.0/24

Site A to Site C
Local Network 10.0.2.0/24
Remote Network 10.0.3.0/24

Site C to Site A
Local Network 10.0.3.0/24
Remote Network 10.0.2.0/24

And firewall rules on the IPsec tabs that pass the necessary traffic.

tgreen

Thanks for the info Derelict

I've been trying this with no luck so far

IP mapping even shows in the Source/Destination under SPDs

Even checked on "Enable this to split connection entries with multiple phase 2 configurations. Required for remote endpoints that support only a single traffic selector per child SA." in case that was needed.  No luck as of yet

Probably missing something silly, I'll keep cruising forums and what not

tgreen

Here's all the P2 Mappings:

SITE A - SITE B
P2 Tunnel LN - 10.0.1.0/24 RN - 10.0.2.0/24
P2 Tunnel LN - 10.0.3.0/24 RN - 10.0.2.0/24

SITE B - SITE A
P2 Tunnel LN - 10.0.2.0/24 RN - 10.0.1.0/24
P2 Tunnel LN - 10.0.2.0/24 RN - 10.0.3.0/24

SITE A - SITE C
P2 Tunnel LN - 10.0.1.0/24 RN - 10.0.3.0/24
P2 Tunnel LN - 10.0.2.0/24 RN - 10.0.3.0/24

SITE C - SITE A
P2 Tunnel LN - 10.0.3.0/24 RN - 10.0.1.0/24
P2 Tunnel LN - 10.0.3.0/24 RN - 10.0.2.0/24

Firewall IPsec rules on all 3 have
Protocol Any
Source Any
Destination Any

Firewall LAN rules on all 3 have
Protocol Any
Source Any
Destination Any

Derelict

First off, set all of those .1/24 networks to .0/24 I do not think that is hurting anything but it is improper and makes accuracy sensibilities twitch.

Are the phase 2 networks establishing when there is traffic? If not, look at the logs and see what the complaints are there. The responder is often the best place to look since it will log more information about what it didn't like.

If not already set this way, set VPN > IPsec, Advanced Settings Logging controls to Diag for IKE SA, IKE Child SA, and Configuration Backend. Everything else should be Control.

tgreen

Sorry, the .1's were typos on my part, all are .0's

Not sure what to locate in the Logs (Diag for IKE SA, IKE Child SA, and Configuration Backend. Everything else should be Control were all set on all units)

Perhaps I'm not testing in an adequate way.  I'm trying to ping the LAN on site C from the LAN on Site B

I'll keep trying though

Derelict

Are the phase 2 tunnels even establishing? Status > IPsec

tgreen

I don't think so.  The Status shows the VPN is connected and below (+ Show child SA entries) only has the primary connection, not the second P2 at all

From Site B to Site A (10.0.2.0/24 –> 10.0.1.0/24)

• Show child SA entries
  10.0.2.0/24
  Local: c95ed0dc
  Remote: c244309d 10.0.1.0/24
  Rekey: 228 seconds (00:03:48)
  Life: 1181 seconds (00:19:41)
  Install: 2419 seconds (00:40:19) AES_CBC
  HMAC_SHA1_96
  IPComp: none Bytes-In: 3,024 (3 KiB)
  Packets-In: 36
  Bytes-Out: 10,944 (11 KiB)
  Packets-Out: 72

Not showing anything for the second P2 (10.0.2.0/24 --> 10.0.3.0/24)

In the SPDs of Site A 10.0.1.0/24 (Central Location)

Source Destination Direction Protocol
10.0.2.0/24 10.0.1.0/24 ◄ Inbound ESP
10.0.3.0/24 10.0.1.0/24 ◄ Inbound ESP
10.0.1.0/24 10.0.2.0/24 ► Outbound ESP
10.0.1.0/24 10.0.3.0/24 ► Outbound ESP

In the SPDs of Site B 10.0.2.0/24

Source Destination Direction Protocol
10.0.1.0/24 10.0.2.0/24 ◄ Inbound ESP
10.0.3.0/24 10.0.2.0/24 ◄ Inbound ESP
10.0.2.0/24 10.0.1.0/24 ► Outbound ESP
10.0.2.0/24 10.0.3.0/24 ► Outbound ESP

In the SPDs of Site C 10.0.3.0/24

Source Destination Direction Protocol
10.0.1.0/24 10.0.3.0/24 ◄ Inbound ESP
10.0.2.0/24 10.0.3.0/24 ◄ Inbound ESP
10.0.3.0/24 10.0.1.0/24 ► Outbound ESP
10.0.3.0/24 10.0.2.0/24 ► Outbound ESP

Not sure if that is helpful at all though!

Derelict

Those look OK but if the second P2 isn't coming up it's not going to work. Look for errors in Status > System Logs, IPsec

https://doc.pfsense.org/index.php/IPsec_Troubleshooting

tgreen

Ok, so I went through the TS guide and wasn't really finding much that coincided.  One issue being that the IPSec log is limited to 50 latest and there is a lot of 'fill' in the log.  I did however locate a "No Match" in the Set 2 log.  Not sure what it's trying to match exactly here, but it looks like the Site A is not passing back a properly.  I put the whole log here in case there's something of importance (and replaced private info)

Time Process PID Message
Jan 10 10:24:44 charon 01[CFG] vici client 6 disconnected
Jan 10 10:24:44 charon 11[IKE] <con1|4>nothing to initiate
Jan 10 10:24:44 charon 11[IKE] <con1|4>activating new tasks
Jan 10 10:24:44 charon 11[IKE] <con1|4>received AUTH_LIFETIME of 27742s, scheduling reauthentication in 27202s
Jan 10 10:24:44 charon 11[CHD] <con1|4>CHILD_SA con1{5} state change: INSTALLING => INSTALLED
Jan 10 10:24:44 charon 11[IKE] <con1|4>CHILD_SA con1{5} established with SPIs c558505d_i cd7d0aa4_o and TS 10.0.2.0/24|/0 === 10.0.1.0/24|/0
Jan 10 10:24:44 charon 11[CHD] <con1|4>SPI 0xcd7d0aa4, src 74.XX.XX.XX dst 75.XX.XX.XX
Jan 10 10:24:44 charon 11[CHD] <con1|4>adding outbound ESP SA
Jan 10 10:24:44 charon 11[CHD] <con1|4>SPI 0xc558505d, src 75.XX.XX.XX dst 74.XX.XX.XX
Jan 10 10:24:44 charon 11[CHD] <con1|4>adding inbound ESP SA
Jan 10 10:24:44 charon 11[CHD] <con1|4>using HMAC_SHA1_96 for integrity
Jan 10 10:24:44 charon 11[CHD] <con1|4>using AES_CBC for encryption
Jan 10 10:24:44 charon 11[CHD] <con1|4>CHILD_SA con1{5} state change: CREATED => INSTALLING
Here
Jan 10 10:24:44 charon 11[CFG] <con1|4>config: 10.0.3.0/24|/0, received: 10.0.1.0/24|/0 => no match</con1|4>
Jan 10 10:24:44 charon 11[CFG] <con1|4>config: 10.0.1.0/24|/0, received: 10.0.1.0/24|/0 => match: 10.0.1.0/24|/0
Jan 10 10:24:44 charon 11[CFG] <con1|4>selecting traffic selectors for other:
Jan 10 10:24:44 charon 11[CFG] <con1|4>config: 10.0.2.0/24|/0, received: 10.0.2.0/24|/0 => match: 10.0.2.0/24|/0
Jan 10 10:24:44 charon 11[CFG] <con1|4>selecting traffic selectors for us:
Jan 10 10:24:44 charon 11[CFG] <con1|4>selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jan 10 10:24:44 charon 11[CFG] <con1|4>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Jan 10 10:24:44 charon 11[CFG] <con1|4>received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jan 10 10:24:44 charon 11[CFG] <con1|4>proposal matches
Jan 10 10:24:44 charon 11[CFG] <con1|4>selecting proposal:
Jan 10 10:24:44 charon 11[IKE] <con1|4>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 10 10:24:44 charon 11[IKE] <con1|4>maximum IKE_SA lifetime 28540s
Jan 10 10:24:44 charon 11[IKE] <con1|4>scheduling reauthentication in 28000s
Jan 10 10:24:44 charon 11[IKE] <con1|4>IKE_SA con1[4] state change: CONNECTING => ESTABLISHED
Jan 10 10:24:44 charon 11[IKE] <con1|4>IKE_SA con1[4] established between 74.XX.XX.XX[siteB.somename.net]…75.XX.XX.XX[siteA.somename.net]
Jan 10 10:24:44 charon 11[IKE] <con1|4>authentication of 'siteA.somename.net' with pre-shared key successful
Jan 10 10:24:44 charon 11[IKE] <con1|4>received ESP_TFC_PADDING_NOT_SUPPORTED notify
Jan 10 10:24:44 charon 11[ENC] <con1|4>parsed IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) ]
Jan 10 10:24:44 charon 16[CFG] vici client 6 requests: list-sas
Jan 10 10:24:44 charon 12[CFG] vici client 6 registered for: list-sa
Jan 10 10:24:44 charon 13[CFG] vici client 6 connected
Jan 10 10:24:44 charon 11[NET] <con1|4>received packet: from 75.XX.XX.XX[4500] to 74.XX.XX.XX[4500] (236 bytes)
Jan 10 10:24:44 charon 11[NET] <con1|4>sending packet: from 74.XX.XX.XX[4500] to 75.XX.XX.XX[4500] (380 bytes)
Jan 10 10:24:44 charon 11[ENC] <con1|4>generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jan 10 10:24:44 charon 11[IKE] <con1|4>establishing CHILD_SA con1{5}
Jan 10 10:24:44 charon 11[CFG] <con1|4>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Jan 10 10:24:44 charon 11[CFG] <con1|4>10.0.3.0/24|/0
Jan 10 10:24:44 charon 11[CFG] <con1|4>10.0.1.0/24|/0
Jan 10 10:24:44 charon 11[CFG] <con1|4>proposing traffic selectors for other:
Jan 10 10:24:44 charon 11[CFG] <con1|4>10.0.2.0/24|/0
Jan 10 10:24:44 charon 11[CFG] <con1|4>proposing traffic selectors for us:
Jan 10 10:24:44 charon 11[IKE] <con1|4>successfully created shared key MAC
Jan 10 10:24:44 charon 11[IKE] <con1|4>authentication of 'siteB.somename.net' (myself) with pre-shared key
Jan 10 10:24:44 charon 11[IKE] <con1|4>IKE_AUTH task
Jan 10 10:24:44 charon 11[IKE] <con1|4>IKE_CERT_PRE task
Jan 10 10:24:44 charon 11[IKE] <con1|4>reinitiating already active tasks
Jan 10 10:24:44 charon 11[IKE] <con1|4>remote host is behind NAT</con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4>

Derelict

Looks like your local and remote selectors are not right on the other side of that connection.

Not showing anything for the second P2 (10.0.2.0/24 –> 10.0.3.0/24)

Yeah, you're right. Sorry I missed it.

It looks like Site A is missing these:

SITE A - SITE B     
P2 Tunnel  LN - 10.0.3.0/24  RN - 10.0.2.0/24

SITE A - SITE C
P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.3.0/24

There should be two phase 2 entries on site A for each site.

tgreen

There we go, now it's rocking.  For anyone that stumbles here looking for the same needs, here's all the P2 Mappings:

Site A (main centerpoint) 10.0.1.0/24
Site B (Remote locale 1) 10.0.2.0/24
Site C (Remote locale 2) 10.0.3.0/24

IPsec VPN Site A <–> Site B
IPsec VPN Site A <--> Site C
Goal if for Site C to access an IP at Site B without making a VPN from B --> C

SITE A - SITE B     
P2 Tunnel  LN - 10.0.1.0/24  RN - 10.0.2.0/24
P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.3.0/24
P2 Tunnel  LN - 10.0.3.0/24  RN - 10.0.2.0/24

SITE B - SITE A     
P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.1.0/24
P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.3.0/24

SITE A - SITE C     
P2 Tunnel  LN - 10.0.1.0/24  RN - 10.0.3.0/24
P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.3.0/24
P2 Tunnel  LN - 10.0.3.0/24  RN - 10.0.2.0/24

SITE C - SITE A     
P2 Tunnel  LN - 10.0.3.0/24  RN - 10.0.1.0/24
P2 Tunnel  LN - 10.0.3.0/24  RN - 10.0.2.0/24

Firewall IPsec rules on all 3 have
Protocol      Any
Source      Any
Destination  Any

Firewall LAN rules on all 3 have
Protocol      Any
Source      Any
Destination  Any

Derelict

That doesn't look right either.

SITE A - SITE B   
P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.3.0/24

SITE A - SITE C   
P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.3.0/24

Don't want the same traffic selector on SITE A to two different sites.