Setup route to servers on the other side of ipsec vpn tunnel



  • Hello,
    I have a Pfsense setup with 2 wan (in carp), so I have:

    First WAN:
    pfs1 wan ip: 93.145.101.15
    pfs2 wan ip: 93.145.101.16
    pfs wan vip: 93.145.101.14

    Second WAN:
    pfs1 wan2 ip: 88.45.191.138
    pfs2 wan2 ip: 88.45.191.139
    pfs wan2 vip: 88.45.191.140

    I have a main vlan: 192.168.0.0/24 and the address on Pfsense are:
    pfs1 lan ip: 192.168.0.31
    pfs2 lan ip: 192.168.0.32
    pfs lan vip: 192.168.0.30
    In the network, down to the 2 firewalls, there are 2 main switches with L3 routing configured and in hsrp:
    swi1 ip: 192.168.0.3
    swi2 ip: 192.168.0.2
    swi vip: 192.168.0.1
    There is a route like this: 0.0.0.0 0.0.0.0 192.168.0.30
    Now I have a second vlan that I need that route on a second wan and also communicate with the main vlan; as for the first, there is an hsrp configuration on the switch:
    swi1 vlan7: 192.168.7.7
    swi2 vlan7: 192.168.7.8
    swi vip: 192.168.7.254

    My customer asked to create an ipsec vpn and I have done it, I can see the tunnel up, but I have issue to create a route to ping the servers on the customer sitein phase 2, I set:

    Local Subnet: 10.175.69.10/32
    Remote Subnet: 10.64.3.46 and 10.64.3.80

    Now, on my switches I have no network for 10.175.69.10 and sincerely I don't know how to setup the route to ping the addresses on Remote Subnet: how to proceed?

    I have other 2 vpn but they have the main subnet (192.168.0.0/24) as Local Subnet so I haven't encountered any issue with routing.

    Marco



  • Hello,

    a thing that I have found on another forum is to create another P2 phase and insert as local network my main vlan (192.168.0.0/24) and as remote network the address user as local in the other phase P2, i.e. 10.175.69.10; the tunnel start but I can't ping the address 10.164.3.46 and 10.164.3.80.

    Any other suggestion about, for exmple, the rules to use?



  • Other little step was to create on switches the network 10.175.69.0/24 and then a virtual machine with ip 10.175.69.10: with this I can ping the servers on the other side.
    To do this I also created a static route like in the image:

    0_1540304884951_static_route_vpn_ipsec.png

    so the network 10.175.69.0/24 has as gateway 192.168.0.1

    Then I opened a rule on LAN interface versus 10.175.69.0/24 like in the image:

    0_1540305156285_rules_vpn_ipsec .png

    After this I can ping from 10.175.69.10 to 10.64.3.46 and 10.64.3.80.

    How to communicate from LAN network to 10.64.3.46 and 10.64.3.80: is it possible to set a route? Where?

    Please if you have any idea let me know.