Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Site-to-Site VPN , about phase 2 tunneling.

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 409 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bpostaci
      last edited by

      pfsense 2.4.3

      IPSec issue.
      -Configuration

      Site A

      WAN public IP:  11.11.11.01
      WAN2 Public IP : 11.11.11.02 (Default Gateway)
      LAN 192.168.2.0/24    -> Pfsense IP: 192.168.2.1
      WLAN1 192.168.25.0/24  -> Pfsense IP: 192.168.25.1 Wifi AP + Radius Server (Interface 192.168.25.1) EAP-TLS

      Site B
      WAN pfsense IP 10.10.25.1  ->  public IP : 22.22.22.22 (NAT from different firewall almost transparent)
      LAN 10.10.35.0  -> pfsense IP : 10.10.35.1

      IPSec Configuration

      Phase1  IkeV2 over WAN2 is working , and connection is estabilished. (I will not go in details here not important.)

      If i configure redirect all trafic in Phase 2 , Site A -> Site B

      Site A Phase2 configuration
      Local Network -> 192.168.25.0/24
      Remote Network -> 0.0.0.0/0

      Firewall IPSec for both box.
      IPv4 * * * *  Allow all

      Site B Phase2 configuration
      Local Network -> 0.0.0.0/0
      Remote Network -> 192.168.25.0/24

      If the connections are estabilished.

      The problem , WLAN1  users unable to connect the access point anymore, DHCP or none is working.
      In SiteA, in pfsense box, I can not ping the interface 192.168.25.1 niether.

      If I change the configuration as below for one client.

      Site A Phase2 configuration
      Local Network -> 192.168.25.135/32
      Remote Network -> 0.0.0.0/0

      Site B Phase2 configuration
      Local Network -> 0.0.0.0/0
      Remote Network -> 192.168.25.135/32

      There is no issues with that client (192.168.25.135) , what is my ip from browser is 22.22.22.22
      There is no issue in connectivity of wifi ap for all clients.

      Questions ?

      • What kind of configuration missing i need to make it work , if i tunell all WLAN1 subnet trafic (192.168.25.0/24) (basically i want they use the Internet of SiteB)
        InSiteA , WLAN1 and LAN should continue access each other.

      -What is the best way to make "some of the IPs" in WLAN1 subnet to use Site B Internet gateway (by not configuring each one another Phase2 in IPSec)

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.