[IPSec] VPN with Multi Subnets



  • Hi guys,

    I have the following scenario:

    Company 1: 10.10.0.1 (WAN) | 172.16.4.0/23 (LAN 1) | 172.16.10.0/27 (LAN 2)
    Company 2: 10.10.0.2 (WAN) | 172.16.0.0/23 (LAN 1)

    I wish to connect the two companies via IPSec, which was done:

    Company 1: P1: 10.10.0.1 > P2: 172.16.4.0/23 and P2: 172.16.10.0/27
    Company 2: P1: 10.10.0.2 > P2: 172.16.0.0/23

    IKEv2 protocol.

    When I finish the settings the VPN connects, but only works LAN 1, I can not cause the traffic of LAN 2 to pass through the tunnel.

    What am I doing wrong?



  • Hello,

    are both firewalls pfSense?
    Please show some logs. What is the status on the status page? Especially SAD/SPD page?

    Try to enable "Split connections" in phase 1 configuration.

    Kind regards



  • Following the images as requested, as images were after a change of "Split Connections"

    Company 1:
    1_1531318404288_SPD_NJ.PNG 0_1531318404287_SAD_NJ.PNG

    Company 2:
    1_1531318640470_SPD_JM.PNG 0_1531318640470_SAD_JM.PNG

    Thanks for your help.

    Kind regards.



  • @rodrigoprazim said in [IPSec] VPN with Multi Subnets:

    Split Connections

    Is Split Connections enabled on both sides? Did you restarted the ipsec service and reconnected the tunnel?
    The SPD table looks strange.

    Company 1 SPD:
    There is nothing for 172.16.10....

    Company 2 SPD:
    Why the hell is the tunnel endpoint 10.10.0.2 for outbound 172.16.10... network?!

    Maybe restart the hole pfsense on both sides and double check the phase 2 configuration. If nothing helps post the phase 2 configuration screenshots here.



  • Thanks for answering. Followed photos as requested.

    Company 1:
    0_1531389109897_Tunnels_NJ.PNG 0_1531389146361_Phase1_NJ_1-2.PNG 0_1531389150880_Phase1_NJ_2-2.PNG

    Company 2:
    0_1531389192342_Tunnels_JM.PNG 0_1531389199958_Phase1_JM_1-2.PNG 0_1531389205686_Phase1_JM_2-2.PNG

    Be remembering, the server was stopped on both sides and then started.



  • You have to create 2(two) P2's on both sides
    currently you have only 1 P2 created at Company1 side. Add another P2 with local 172.16.0.0 and remote 172.16.10.0



  • This post is deleted!


  • @dave-opc said in [IPSec] VPN with Multi Subnets:

    You have to create 2(two) P2's on both sides
    currently you have only 1 P2 created at Company1 side. Add another P2 with local 172.16.0.0 and remote 172.16.10.0

    It is not possible, or do not leave system add 2 p2 with the same configuration, already tried this.



  • It is possible, and it will not be with the same configuration

    On Company2 you create 1st P2 with local 172.16.0.0 and remote 172.16.10.0 and create 2nd P2 with local 172.16.0.0 and remote 172.16.4.0
    On Company1 you create 1st P2 with local 172.16.4.0 and remote 172.16.0.0 and create 2nd P2 with local 172.16.10.0 and remote 172.16.0.0



  • @dave-opc said in [IPSec] VPN with Multi Subnets:

    It is possible, and it will not be with the same configuration

    I understand what you mean, unfortunately now I can not fiddle with why the VPN is in production, as soon as I do, I'll post it. Thanks for answering.



  • @dave-opc said in [IPSec] VPN with Multi Subnets:

    It is possible, and it will not be with the same configuration

    On Company2 you create 1st P2 with local 172.16.0.0 and remote 172.16.10.0 and create 2nd P2 with local 172.16.0.0 and remote 172.16.4.0
    On Company1 you create 1st P2 with local 172.16.4.0 and remote 172.16.0.0 and create 2nd P2 with local 172.16.10.0 and remote 172.16.0.0

    I had tried this, but I was forgetting to change the output interface of Company 1, that is, I was making a faithful copy of the existing P2, a lot of my attention, thank you for helping me.