IPSec tunnel from a local group of networks to a remote group of networks possible?



  • Hi All

    UPDATE: Okay, I think we may have found the answer:
    Phase 2 definitions handle how local/internal networks are sent across a tunnel. Multiple local subnets (or individual hosts) can be used on a single IPsec tunnel by adding multiple Phase 2 entries.
    Going to give it a try ..

    --
    We have been using GTA firewall for many years. But GTA has recently become defunct, and we are now considering pfSense.

    In GTA firewall, we can set up a site-to-site IPSec VPN from the local office LAN and DMZ to the remote office LAN and DMZ. That is, a single VPN which connects LAN and DMZ of office A to LAN and DMZ of office B.

    Is this possible with pfSense? In GTA, we can define a network address objects containing the LAN and DMZ network addresses (e.g., one object for Local 192.168.5.0/24 and 192.168.6.0/24 and then another object for the Remote 192.168.11.0/24 and 192.168.12.0.24) in the firewall and then use these objects in the IPSec VPN's Local and Remote network settings.
    How can we do this in pfSense 's IPSec tunnel?
    Or we have to create two IPSec tunnels at both offices?
    But we get this error when trying to create another tunnel to the same remote interface:
    The remote gateway "x.x.x.x" is already used by phase1 "testvpn01 to PA".
    Thank you
    CMG



  • You could also do this by supernetting the phase2 if your local/remote networks are all within a non-overlapping range.

    In your example you could use 192.168.4.0/22 (192.168.4.0 <-> 192.168.7.255) for your local subnet on the phase 2, and 192.168.8.0/21 (192.168.8.0 <-> 192.168.15.255) for the remote subnet on the ipsec tunnel.

    You would then just create firewall rules at the ipsec level to govern the /24 subnets within those networks and how they talk to each other.