Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Better way to connect multiple site to sites than a lot of Phase 2s?

    Scheduled Pinned Locked Moved IPsec
    4 Posts 4 Posters 374 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • tenraekT
      tenraek
      last edited by

      My company currently has 4 offices, but will be adding dozens more over the next few years.

      I have IPsec P2Ps setup between our admin and each location which works great.
      Initially I just had the Phase 2 between the site and admin LAN subnets, but decided I wanted each site to see the other sites too. To make this happen after setting up the NAT firewall, I set the Phase 2s to 0.0.0.0/0 which did technically work, but of course all the traffic from each remote site was going over our admin connection and slowing them way down.

      So I went back and made Phase2s to point to each LAN subnet for each site which solved the speed problem, but that was a lot of work and I dread the idea of having to add each one as new offices open.

      I know I could also create P2Ps directly between each site but that would be as much work, if not more than adding the Phase 2s to the existing connection.

      Our subnet structures are

      Admin: 10.0.3.0/24
      Site A: 10.0.1.0/24
      Site B: 10.0.2.0/24
      Site C: 10.0.4.0/24
      and coming soon Site D 10.0.5.0/24

      and continuing so on and so on.

      Is there way to do something like a wild card in the Phase2 to say go to 10.0.*.0/24? or something to streamline the setup?

      1 Reply Last reply Reply Quote 0
      • M
        mcury
        last edited by

        In fortigate you can setup the p2 to 0.0.0.0/0.0.0.0 at both sides of the tunnel, and lock by access rules and routes.
        Not sure if you can setup like this in the pfsense.

        dead on arrival, nowhere to be found.

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          Use VTI and, perhaps, a routing protocol such as OSPF or BGP with the FRR package.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            You might also consider establishing a couple of hubs so you have redundancy and connect all other sites to both of those.

            A full mesh really does not scale well.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.