Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec mapping from central location

    Scheduled Pinned Locked Moved IPsec
    13 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tgreen
      last edited by

      Hi, I have 3 pfSense firewalls setup and functioning with IPSec VPNs back to the central firewall
      I would like to route subnet traffic from one remote location to another via the central location.
      I'm sure this is elementary for many of you, so I apologize in advance!

      For example:
      Site A (main centerpoint) 10.0.1.0/24
      Site B (Remote locale 1) 10.0.2.0/24
      Site C (Remote locale 2) 10.0.3.0/24

      IPsec VPN Site A <–> Site B
      IPsec VPN Site A <--> Site C
      I want Site C to access an IP at Site B without making a VPN from B --> C

      Right now If I'm on Site A, I can access Site B and Site C
      If I move to Site B or Site C, I can only seem to access Site A
      Pretty sure this will boil down to NAT routing, but I'm unfamiliar and not finding documentation or tutorials

      Any help/guidance would be greatly appreciated!
      Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Additional traffic selector (phase 2 entry) between sites A and B and A and C

        Site A to Site B
        Local Network 10.0.3.0/24
        Remote Network 10.0.2.0/24

        Site B to Site A
        Local Network 10.0.2.0/24
        Remote Network 10.0.3.0/24

        Site A to Site C
        Local Network 10.0.2.0/24
        Remote Network 10.0.3.0/24

        Site C to Site A
        Local Network 10.0.3.0/24
        Remote Network 10.0.2.0/24

        And firewall rules on the IPsec tabs that pass the necessary traffic.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • T
          tgreen
          last edited by

          Thanks for the info Derelict

          I've been trying this with no luck so far

          IP mapping even shows in the Source/Destination under SPDs

          Even checked on "Enable this to split connection entries with multiple phase 2 configurations. Required for remote endpoints that support only a single traffic selector per child SA." in case that was needed.  No luck as of yet

          Probably missing something silly, I'll keep cruising forums and what not

          1 Reply Last reply Reply Quote 0
          • T
            tgreen
            last edited by

            Here's all the P2 Mappings:

            SITE A - SITE B
            P2 Tunnel LN - 10.0.1.0/24 RN - 10.0.2.0/24
            P2 Tunnel LN - 10.0.3.0/24 RN - 10.0.2.0/24

            SITE B - SITE A
            P2 Tunnel LN - 10.0.2.0/24 RN - 10.0.1.0/24
            P2 Tunnel LN - 10.0.2.0/24 RN - 10.0.3.0/24

            SITE A - SITE C
            P2 Tunnel LN - 10.0.1.0/24 RN - 10.0.3.0/24
            P2 Tunnel LN - 10.0.2.0/24 RN - 10.0.3.0/24

            SITE C - SITE A
            P2 Tunnel LN - 10.0.3.0/24 RN - 10.0.1.0/24
            P2 Tunnel LN - 10.0.3.0/24 RN - 10.0.2.0/24

            Firewall IPsec rules on all 3 have
            Protocol Any
            Source Any
            Destination Any

            Firewall LAN rules on all 3 have
            Protocol Any
            Source Any
            Destination Any

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              First off, set all of those .1/24 networks to .0/24 I do not think that is hurting anything but it is improper and makes accuracy sensibilities twitch.

              Are the phase 2 networks establishing when there is traffic? If not, look at the logs and see what the complaints are there. The responder is often the best place to look since it will log more information about what it didn't like.

              If not already set this way, set VPN > IPsec, Advanced Settings Logging controls to Diag for IKE SA, IKE Child SA, and Configuration Backend. Everything else should be Control.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • T
                tgreen
                last edited by

                Sorry, the .1's were typos on my part, all are .0's

                Not sure what to locate in the Logs (Diag for IKE SA, IKE Child SA, and Configuration Backend. Everything else should be Control were all set on all units)

                Perhaps I'm not testing in an adequate way.  I'm trying to ping the LAN on site C from the LAN on Site B

                I'll keep trying though

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Are the phase 2 tunnels even establishing? Status > IPsec

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • T
                    tgreen
                    last edited by

                    I don't think so.  The Status shows the VPN is connected and below (+ Show child SA entries) only has the primary connection, not the second P2 at all

                    From Site B to Site A (10.0.2.0/24 –> 10.0.1.0/24)

                    • Show child SA entries
                      10.0.2.0/24
                      Local: c95ed0dc
                      Remote: c244309d 10.0.1.0/24
                      Rekey: 228 seconds (00:03:48)
                      Life: 1181 seconds (00:19:41)
                      Install: 2419 seconds (00:40:19) AES_CBC
                      HMAC_SHA1_96
                      IPComp: none Bytes-In: 3,024 (3 KiB)
                      Packets-In: 36
                      Bytes-Out: 10,944 (11 KiB)
                      Packets-Out: 72

                    Not showing anything for the second P2 (10.0.2.0/24 --> 10.0.3.0/24)

                    In the SPDs of Site A 10.0.1.0/24 (Central Location)

                    Source Destination Direction Protocol
                    10.0.2.0/24 10.0.1.0/24 ◄ Inbound ESP
                    10.0.3.0/24 10.0.1.0/24 ◄ Inbound ESP
                    10.0.1.0/24 10.0.2.0/24 ► Outbound ESP
                    10.0.1.0/24 10.0.3.0/24 ► Outbound ESP

                    In the SPDs of Site B 10.0.2.0/24

                    Source Destination Direction Protocol
                    10.0.1.0/24 10.0.2.0/24 ◄ Inbound ESP
                    10.0.3.0/24 10.0.2.0/24 ◄ Inbound ESP
                    10.0.2.0/24 10.0.1.0/24 ► Outbound ESP
                    10.0.2.0/24 10.0.3.0/24 ► Outbound ESP

                    In the SPDs of Site C 10.0.3.0/24

                    Source Destination Direction Protocol
                    10.0.1.0/24 10.0.3.0/24 ◄ Inbound ESP
                    10.0.2.0/24 10.0.3.0/24 ◄ Inbound ESP
                    10.0.3.0/24 10.0.1.0/24 ► Outbound ESP
                    10.0.3.0/24 10.0.2.0/24 ► Outbound ESP

                    Not sure if that is helpful at all though!

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      Those look OK but if the second P2 isn't coming up it's not going to work. Look for errors in Status > System Logs, IPsec

                      https://doc.pfsense.org/index.php/IPsec_Troubleshooting

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • T
                        tgreen
                        last edited by

                        Ok, so I went through the TS guide and wasn't really finding much that coincided.  One issue being that the IPSec log is limited to 50 latest and there is a lot of 'fill' in the log.  I did however locate a "No Match" in the Set 2 log.  Not sure what it's trying to match exactly here, but it looks like the Site A is not passing back a properly.  I put the whole log here in case there's something of importance (and replaced private info)

                        Time Process PID Message
                        Jan 10 10:24:44 charon 01[CFG] vici client 6 disconnected
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>nothing to initiate
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>activating new tasks
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>received AUTH_LIFETIME of 27742s, scheduling reauthentication in 27202s
                        Jan 10 10:24:44 charon 11[CHD] <con1|4>CHILD_SA con1{5} state change: INSTALLING => INSTALLED
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>CHILD_SA con1{5} established with SPIs c558505d_i cd7d0aa4_o and TS 10.0.2.0/24|/0 === 10.0.1.0/24|/0
                        Jan 10 10:24:44 charon 11[CHD] <con1|4>SPI 0xcd7d0aa4, src 74.XX.XX.XX dst 75.XX.XX.XX
                        Jan 10 10:24:44 charon 11[CHD] <con1|4>adding outbound ESP SA
                        Jan 10 10:24:44 charon 11[CHD] <con1|4>SPI 0xc558505d, src 75.XX.XX.XX dst 74.XX.XX.XX
                        Jan 10 10:24:44 charon 11[CHD] <con1|4>adding inbound ESP SA
                        Jan 10 10:24:44 charon 11[CHD] <con1|4>using HMAC_SHA1_96 for integrity
                        Jan 10 10:24:44 charon 11[CHD] <con1|4>using AES_CBC for encryption
                        Jan 10 10:24:44 charon 11[CHD] <con1|4>CHILD_SA con1{5} state change: CREATED => INSTALLING
                        Here
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>config: 10.0.3.0/24|/0, received: 10.0.1.0/24|/0 => no match</con1|4>
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>config: 10.0.1.0/24|/0, received: 10.0.1.0/24|/0 => match: 10.0.1.0/24|/0
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>selecting traffic selectors for other:
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>config: 10.0.2.0/24|/0, received: 10.0.2.0/24|/0 => match: 10.0.2.0/24|/0
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>selecting traffic selectors for us:
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>proposal matches
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>selecting proposal:
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>maximum IKE_SA lifetime 28540s
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>scheduling reauthentication in 28000s
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>IKE_SA con1[4] state change: CONNECTING => ESTABLISHED
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>IKE_SA con1[4] established between 74.XX.XX.XX[siteB.somename.net]…75.XX.XX.XX[siteA.somename.net]
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>authentication of 'siteA.somename.net' with pre-shared key successful
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>received ESP_TFC_PADDING_NOT_SUPPORTED notify
                        Jan 10 10:24:44 charon 11[ENC] <con1|4>parsed IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) ]
                        Jan 10 10:24:44 charon 16[CFG] vici client 6 requests: list-sas
                        Jan 10 10:24:44 charon 12[CFG] vici client 6 registered for: list-sa
                        Jan 10 10:24:44 charon 13[CFG] vici client 6 connected
                        Jan 10 10:24:44 charon 11[NET] <con1|4>received packet: from 75.XX.XX.XX[4500] to 74.XX.XX.XX[4500] (236 bytes)
                        Jan 10 10:24:44 charon 11[NET] <con1|4>sending packet: from 74.XX.XX.XX[4500] to 75.XX.XX.XX[4500] (380 bytes)
                        Jan 10 10:24:44 charon 11[ENC] <con1|4>generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>establishing CHILD_SA con1{5}
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>10.0.3.0/24|/0
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>10.0.1.0/24|/0
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>proposing traffic selectors for other:
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>10.0.2.0/24|/0
                        Jan 10 10:24:44 charon 11[CFG] <con1|4>proposing traffic selectors for us:
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>successfully created shared key MAC
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>authentication of 'siteB.somename.net' (myself) with pre-shared key
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>IKE_AUTH task
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>IKE_CERT_PRE task
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>reinitiating already active tasks
                        Jan 10 10:24:44 charon 11[IKE] <con1|4>remote host is behind NAT</con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4>

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          Looks like your local and remote selectors are not right on the other side of that connection.

                          Not showing anything for the second P2 (10.0.2.0/24 –> 10.0.3.0/24)

                          Yeah, you're right. Sorry I missed it.

                          It looks like Site A is missing these:

                          SITE A - SITE B     
                          P2 Tunnel  LN - 10.0.3.0/24  RN - 10.0.2.0/24

                          SITE A - SITE C
                          P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.3.0/24

                          There should be two phase 2 entries on site A for each site.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • T
                            tgreen
                            last edited by

                            There we go, now it's rocking.  For anyone that stumbles here looking for the same needs, here's all the P2 Mappings:

                            Site A (main centerpoint) 10.0.1.0/24
                            Site B (Remote locale 1) 10.0.2.0/24
                            Site C (Remote locale 2) 10.0.3.0/24

                            IPsec VPN Site A <–> Site B
                            IPsec VPN Site A <--> Site C
                            Goal if for Site C to access an IP at Site B without making a VPN from B --> C

                            SITE A - SITE B     
                            P2 Tunnel  LN - 10.0.1.0/24  RN - 10.0.2.0/24
                            P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.3.0/24
                            P2 Tunnel  LN - 10.0.3.0/24  RN - 10.0.2.0/24

                            SITE B - SITE A     
                            P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.1.0/24
                            P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.3.0/24

                            SITE A - SITE C     
                            P2 Tunnel  LN - 10.0.1.0/24  RN - 10.0.3.0/24
                            P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.3.0/24
                            P2 Tunnel  LN - 10.0.3.0/24  RN - 10.0.2.0/24

                            SITE C - SITE A     
                            P2 Tunnel  LN - 10.0.3.0/24  RN - 10.0.1.0/24
                            P2 Tunnel  LN - 10.0.3.0/24  RN - 10.0.2.0/24

                            Firewall IPsec rules on all 3 have
                            Protocol      Any
                            Source      Any
                            Destination  Any

                            Firewall LAN rules on all 3 have
                            Protocol      Any
                            Source      Any
                            Destination  Any

                            1 Reply Last reply Reply Quote 0
                            • DerelictD
                              Derelict LAYER 8 Netgate
                              last edited by

                              That doesn't look right either.

                              SITE A - SITE B   
                              P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.3.0/24

                              SITE A - SITE C   
                              P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.3.0/24

                              Don't want the same traffic selector on SITE A to two different sites.

                              Chattanooga, Tennessee, USA
                              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.