IPSec Site-to-Site VPN , about phase 2 tunneling.



  • pfsense 2.4.3

    IPSec issue.
    -Configuration

    Site A

    WAN public IP:  11.11.11.01
    WAN2 Public IP : 11.11.11.02 (Default Gateway)
    LAN 192.168.2.0/24    -> Pfsense IP: 192.168.2.1
    WLAN1 192.168.25.0/24  -> Pfsense IP: 192.168.25.1 Wifi AP + Radius Server (Interface 192.168.25.1) EAP-TLS

    Site B
    WAN pfsense IP 10.10.25.1  ->  public IP : 22.22.22.22 (NAT from different firewall almost transparent)
    LAN 10.10.35.0  -> pfsense IP : 10.10.35.1

    IPSec Configuration

    Phase1  IkeV2 over WAN2 is working , and connection is estabilished. (I will not go in details here not important.)

    If i configure redirect all trafic in Phase 2 , Site A -> Site B

    Site A Phase2 configuration
    Local Network -> 192.168.25.0/24
    Remote Network -> 0.0.0.0/0

    Firewall IPSec for both box.
    IPv4 * * * *  Allow all

    Site B Phase2 configuration
    Local Network -> 0.0.0.0/0
    Remote Network -> 192.168.25.0/24

    If the connections are estabilished.

    The problem , WLAN1  users unable to connect the access point anymore, DHCP or none is working.
    In SiteA, in pfsense box, I can not ping the interface 192.168.25.1 niether.

    If I change the configuration as below for one client.

    Site A Phase2 configuration
    Local Network -> 192.168.25.135/32
    Remote Network -> 0.0.0.0/0

    Site B Phase2 configuration
    Local Network -> 0.0.0.0/0
    Remote Network -> 192.168.25.135/32

    There is no issues with that client (192.168.25.135) , what is my ip from browser is 22.22.22.22
    There is no issue in connectivity of wifi ap for all clients.

    Questions ?

    • What kind of configuration missing i need to make it work , if i tunell all WLAN1 subnet trafic (192.168.25.0/24) (basically i want they use the Internet of SiteB)
      InSiteA , WLAN1 and LAN should continue access each other.

    -What is the best way to make "some of the IPs" in WLAN1 subnet to use Site B Internet gateway (by not configuring each one another Phase2 in IPSec)