Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPSec mapping from central location

    IPsec
    2
    13
    553
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tgreen last edited by

      Hi, I have 3 pfSense firewalls setup and functioning with IPSec VPNs back to the central firewall
      I would like to route subnet traffic from one remote location to another via the central location.
      I'm sure this is elementary for many of you, so I apologize in advance!

      For example:
      Site A (main centerpoint) 10.0.1.0/24
      Site B (Remote locale 1) 10.0.2.0/24
      Site C (Remote locale 2) 10.0.3.0/24

      IPsec VPN Site A <–> Site B
      IPsec VPN Site A <--> Site C
      I want Site C to access an IP at Site B without making a VPN from B --> C

      Right now If I'm on Site A, I can access Site B and Site C
      If I move to Site B or Site C, I can only seem to access Site A
      Pretty sure this will boil down to NAT routing, but I'm unfamiliar and not finding documentation or tutorials

      Any help/guidance would be greatly appreciated!
      Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        Additional traffic selector (phase 2 entry) between sites A and B and A and C

        Site A to Site B
        Local Network 10.0.3.0/24
        Remote Network 10.0.2.0/24

        Site B to Site A
        Local Network 10.0.2.0/24
        Remote Network 10.0.3.0/24

        Site A to Site C
        Local Network 10.0.2.0/24
        Remote Network 10.0.3.0/24

        Site C to Site A
        Local Network 10.0.3.0/24
        Remote Network 10.0.2.0/24

        And firewall rules on the IPsec tabs that pass the necessary traffic.

        1 Reply Last reply Reply Quote 0
        • T
          tgreen last edited by

          Thanks for the info Derelict

          I've been trying this with no luck so far

          IP mapping even shows in the Source/Destination under SPDs

          Even checked on "Enable this to split connection entries with multiple phase 2 configurations. Required for remote endpoints that support only a single traffic selector per child SA." in case that was needed.  No luck as of yet

          Probably missing something silly, I'll keep cruising forums and what not

          1 Reply Last reply Reply Quote 0
          • T
            tgreen last edited by

            Here's all the P2 Mappings:

            SITE A - SITE B
            P2 Tunnel LN - 10.0.1.0/24 RN - 10.0.2.0/24
            P2 Tunnel LN - 10.0.3.0/24 RN - 10.0.2.0/24

            SITE B - SITE A
            P2 Tunnel LN - 10.0.2.0/24 RN - 10.0.1.0/24
            P2 Tunnel LN - 10.0.2.0/24 RN - 10.0.3.0/24

            SITE A - SITE C
            P2 Tunnel LN - 10.0.1.0/24 RN - 10.0.3.0/24
            P2 Tunnel LN - 10.0.2.0/24 RN - 10.0.3.0/24

            SITE C - SITE A
            P2 Tunnel LN - 10.0.3.0/24 RN - 10.0.1.0/24
            P2 Tunnel LN - 10.0.3.0/24 RN - 10.0.2.0/24

            Firewall IPsec rules on all 3 have
            Protocol Any
            Source Any
            Destination Any

            Firewall LAN rules on all 3 have
            Protocol Any
            Source Any
            Destination Any

            1 Reply Last reply Reply Quote 0
            • Derelict
              Derelict LAYER 8 Netgate last edited by

              First off, set all of those .1/24 networks to .0/24 I do not think that is hurting anything but it is improper and makes accuracy sensibilities twitch.

              Are the phase 2 networks establishing when there is traffic? If not, look at the logs and see what the complaints are there. The responder is often the best place to look since it will log more information about what it didn't like.

              If not already set this way, set VPN > IPsec, Advanced Settings Logging controls to Diag for IKE SA, IKE Child SA, and Configuration Backend. Everything else should be Control.

              1 Reply Last reply Reply Quote 0
              • T
                tgreen last edited by

                Sorry, the .1's were typos on my part, all are .0's

                Not sure what to locate in the Logs (Diag for IKE SA, IKE Child SA, and Configuration Backend. Everything else should be Control were all set on all units)

                Perhaps I'm not testing in an adequate way.  I'm trying to ping the LAN on site C from the LAN on Site B

                I'll keep trying though

                1 Reply Last reply Reply Quote 0
                • Derelict
                  Derelict LAYER 8 Netgate last edited by

                  Are the phase 2 tunnels even establishing? Status > IPsec

                  1 Reply Last reply Reply Quote 0
                  • T
                    tgreen last edited by

                    I don't think so.  The Status shows the VPN is connected and below (+ Show child SA entries) only has the primary connection, not the second P2 at all

                    From Site B to Site A (10.0.2.0/24 –> 10.0.1.0/24)

                    • Show child SA entries
                      10.0.2.0/24
                      Local: c95ed0dc
                      Remote: c244309d 10.0.1.0/24
                      Rekey: 228 seconds (00:03:48)
                      Life: 1181 seconds (00:19:41)
                      Install: 2419 seconds (00:40:19) AES_CBC
                      HMAC_SHA1_96
                      IPComp: none Bytes-In: 3,024 (3 KiB)
                      Packets-In: 36
                      Bytes-Out: 10,944 (11 KiB)
                      Packets-Out: 72

                    Not showing anything for the second P2 (10.0.2.0/24 --> 10.0.3.0/24)

                    In the SPDs of Site A 10.0.1.0/24 (Central Location)

                    Source Destination Direction Protocol
                    10.0.2.0/24 10.0.1.0/24 ◄ Inbound ESP
                    10.0.3.0/24 10.0.1.0/24 ◄ Inbound ESP
                    10.0.1.0/24 10.0.2.0/24 ► Outbound ESP
                    10.0.1.0/24 10.0.3.0/24 ► Outbound ESP

                    In the SPDs of Site B 10.0.2.0/24

                    Source Destination Direction Protocol
                    10.0.1.0/24 10.0.2.0/24 ◄ Inbound ESP
                    10.0.3.0/24 10.0.2.0/24 ◄ Inbound ESP
                    10.0.2.0/24 10.0.1.0/24 ► Outbound ESP
                    10.0.2.0/24 10.0.3.0/24 ► Outbound ESP

                    In the SPDs of Site C 10.0.3.0/24

                    Source Destination Direction Protocol
                    10.0.1.0/24 10.0.3.0/24 ◄ Inbound ESP
                    10.0.2.0/24 10.0.3.0/24 ◄ Inbound ESP
                    10.0.3.0/24 10.0.1.0/24 ► Outbound ESP
                    10.0.3.0/24 10.0.2.0/24 ► Outbound ESP

                    Not sure if that is helpful at all though!

                    1 Reply Last reply Reply Quote 0
                    • Derelict
                      Derelict LAYER 8 Netgate last edited by

                      Those look OK but if the second P2 isn't coming up it's not going to work. Look for errors in Status > System Logs, IPsec

                      https://doc.pfsense.org/index.php/IPsec_Troubleshooting

                      1 Reply Last reply Reply Quote 0
                      • T
                        tgreen last edited by

                        Ok, so I went through the TS guide and wasn't really finding much that coincided.  One issue being that the IPSec log is limited to 50 latest and there is a lot of 'fill' in the log.  I did however locate a "No Match" in the Set 2 log.  Not sure what it's trying to match exactly here, but it looks like the Site A is not passing back a properly.  I put the whole log here in case there's something of importance (and replaced private info)

                        Time Process PID Message
                        Jan 10 10:24:44 charon 01[CFG] vici client 6 disconnected
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>nothing to initiate
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>activating new tasks
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>received AUTH_LIFETIME of 27742s, scheduling reauthentication in 27202s
                        Jan 10 10:24:44 charon 11[CHD] <con1|4>CHILD_SA con1{5} state change: INSTALLING => INSTALLED
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>CHILD_SA con1{5} established with SPIs c558505d_i cd7d0aa4_o and TS 10.0.2.0/24|/0 === 10.0.1.0/24|/0
                        Jan 10 10:24:44 charon 11[CHD] <con1|4>SPI 0xcd7d0aa4, src 74.XX.XX.XX dst 75.XX.XX.XX
                        Jan 10 10:24:44 charon 11[CHD] <con1|4>adding outbound ESP SA
                        Jan 10 10:24:44 charon 11[CHD] <con1|4>SPI 0xc558505d, src 75.XX.XX.XX dst 74.XX.XX.XX
                        Jan 10 10:24:44 charon 11[CHD] <con1|4>adding inbound ESP SA
                        Jan 10 10:24:44 charon 11[CHD] <con1|4>using HMAC_SHA1_96 for integrity
                        Jan 10 10:24:44 charon 11[CHD] <con1|4>using AES_CBC for encryption
                        Jan 10 10:24:44 charon 11[CHD] <con1|4>CHILD_SA con1{5} state change: CREATED => INSTALLING
                        Here
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>config: 10.0.3.0/24|/0, received: 10.0.1.0/24|/0 => no match</con1|4>
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>config: 10.0.1.0/24|/0, received: 10.0.1.0/24|/0 => match: 10.0.1.0/24|/0
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>selecting traffic selectors for other:
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>config: 10.0.2.0/24|/0, received: 10.0.2.0/24|/0 => match: 10.0.2.0/24|/0
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>selecting traffic selectors for us:
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>proposal matches
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>selecting proposal:
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>maximum IKE_SA lifetime 28540s
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>scheduling reauthentication in 28000s
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>IKE_SA con1[4] state change: CONNECTING => ESTABLISHED
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>IKE_SA con1[4] established between 74.XX.XX.XX[siteB.somename.net]…75.XX.XX.XX[siteA.somename.net]
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>authentication of 'siteA.somename.net' with pre-shared key successful
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>received ESP_TFC_PADDING_NOT_SUPPORTED notify
                        Jan 10 10:24:44 charon 11[ENC] <con1|4>parsed IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) ]
                        Jan 10 10:24:44 charon 16[CFG] vici client 6 requests: list-sas
                        Jan 10 10:24:44 charon 12[CFG] vici client 6 registered for: list-sa
                        Jan 10 10:24:44 charon 13[CFG] vici client 6 connected
                        Jan 10 10:24:44 charon 11[NET] <con1|4>received packet: from 75.XX.XX.XX[4500] to 74.XX.XX.XX[4500] (236 bytes)
                        Jan 10 10:24:44 charon 11[NET] <con1|4>sending packet: from 74.XX.XX.XX[4500] to 75.XX.XX.XX[4500] (380 bytes)
                        Jan 10 10:24:44 charon 11[ENC] <con1|4>generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>establishing CHILD_SA con1{5}
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>10.0.3.0/24|/0
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>10.0.1.0/24|/0
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>proposing traffic selectors for other:
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>10.0.2.0/24|/0
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>proposing traffic selectors for us:
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>successfully created shared key MAC
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>authentication of 'siteB.somename.net' (myself) with pre-shared key
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>IKE_AUTH task
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>IKE_CERT_PRE task
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>reinitiating already active tasks
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>remote host is behind NAT</con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4>

                        1 Reply Last reply Reply Quote 0
                        • Derelict
                          Derelict LAYER 8 Netgate last edited by

                          Looks like your local and remote selectors are not right on the other side of that connection.

                          Not showing anything for the second P2 (10.0.2.0/24 –> 10.0.3.0/24)

                          Yeah, you're right. Sorry I missed it.

                          It looks like Site A is missing these:

                          SITE A - SITE B     
                          P2 Tunnel  LN - 10.0.3.0/24  RN - 10.0.2.0/24

                          SITE A - SITE C
                          P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.3.0/24

                          There should be two phase 2 entries on site A for each site.

                          1 Reply Last reply Reply Quote 0
                          • T
                            tgreen last edited by

                            There we go, now it's rocking.  For anyone that stumbles here looking for the same needs, here's all the P2 Mappings:

                            Site A (main centerpoint) 10.0.1.0/24
                            Site B (Remote locale 1) 10.0.2.0/24
                            Site C (Remote locale 2) 10.0.3.0/24

                            IPsec VPN Site A <–> Site B
                            IPsec VPN Site A <--> Site C
                            Goal if for Site C to access an IP at Site B without making a VPN from B --> C

                            SITE A - SITE B     
                            P2 Tunnel  LN - 10.0.1.0/24  RN - 10.0.2.0/24
                            P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.3.0/24
                            P2 Tunnel  LN - 10.0.3.0/24  RN - 10.0.2.0/24

                            SITE B - SITE A     
                            P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.1.0/24
                            P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.3.0/24

                            SITE A - SITE C     
                            P2 Tunnel  LN - 10.0.1.0/24  RN - 10.0.3.0/24
                            P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.3.0/24
                            P2 Tunnel  LN - 10.0.3.0/24  RN - 10.0.2.0/24

                            SITE C - SITE A     
                            P2 Tunnel  LN - 10.0.3.0/24  RN - 10.0.1.0/24
                            P2 Tunnel  LN - 10.0.3.0/24  RN - 10.0.2.0/24

                            Firewall IPsec rules on all 3 have
                            Protocol      Any
                            Source      Any
                            Destination  Any

                            Firewall LAN rules on all 3 have
                            Protocol      Any
                            Source      Any
                            Destination  Any

                            1 Reply Last reply Reply Quote 0
                            • Derelict
                              Derelict LAYER 8 Netgate last edited by

                              That doesn't look right either.

                              SITE A - SITE B   
                              P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.3.0/24

                              SITE A - SITE C   
                              P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.3.0/24

                              Don't want the same traffic selector on SITE A to two different sites.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post

                              Products

                              • Platform Overview
                              • TNSR
                              • pfSense Plus
                              • Appliances

                              Services

                              • Training
                              • Professional Services

                              Support

                              • Subscription Plans
                              • Contact Support
                              • Product Lifecycle
                              • Documentation

                              News

                              • Media Coverage
                              • Press
                              • Events

                              Resources

                              • Blog
                              • FAQ
                              • Find a Partner
                              • Resource Library
                              • Security Information

                              Company

                              • About Us
                              • Careers
                              • Partners
                              • Contact Us
                              • Legal
                              Our Mission

                              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                              Subscribe to our Newsletter

                              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                              © 2021 Rubicon Communications, LLC | Privacy Policy