Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    L2TP/IPSec routing to other subnets

    IPsec
    2
    3
    484
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      BAdkins
      last edited by

      I successfully setup the L2TP/IPSec client Vpn and am able to connect and reach the clients on the VPN server subnet.
      L2TP setup on pfSense makes you setup the subnet and gateway in a weird way or I'm just weird.

      You can't make the gateway on the same address range as the Vpn clients. So I picked just an ip address 10.0.84.1 for the gateway and the client address range 10.0.83.0/24 this when connected is connected to the pfSense whose local subnet is 10.0.183.0/24 and the gateway is 10.0.183.1.

      Traffic flows between 10.0.83.0 and 10.0.183.0 just fine. However, the pfSense has a Vpn tunnel to a remote site with subnet of 10.0.176.0/24<-->10.0.183.0/24. I have tried various routing methods to get traffic between 10.0.176.0 and 10.0.83.0 to work, but it just doesn't.

      Any help would be appreciated.

      -Barry

      1 Reply Last reply Reply Quote 0
      • B
        BAdkins
        last edited by

        Solved my own problem. Works with either Mobile Clients IPSec or L2TP/IPSec.

        Add a 2nd Phase 2 to the tunnel between the 2 sites on the 10.0.183.0 side and added the 2nd Phase 2 with the subnet of 10.0.83.0.

        Hope this might help someone else.

        I got the idea from how our Meraki devices configure with 3rd party devices, and how they deal with it between their own devices. Probably most folks out there are experts on this.

        I still don't like the way pfSense sets up the subnet/gateway for L2TP, but it works.

        Barry

        1 Reply Last reply Reply Quote 0
        • B
          brians
          last edited by

          I did this so when I use OpenVPN I can also access other subnets I want that are connected with ipsec.

          On the PFSense I OpenVPN to, which is connected to all the ipsec tunnels, I add a phase 2 entry with local subnet of of OpenVPN eg. 10.0.10.0/24 and remote subnet of whatever is on other side. On the other side, I use the remote subnet of OpenVPN eg. 10.0.10.0/24.

          One site is an old Cisco RV042 I have a tunnel from my PFSense... so what I did was I added the phase 2 on PFSense, but had to create a new site to site VPN tunnel on the RV042 and just different settings for the phase 2, this is because I cannot add multiple phase 2 to VPN on RV042 - I am surprised that it worked.

          1 Reply Last reply Reply Quote 1
          • First post
            Last post