Better way to connect multiple site to sites than a lot of Phase 2s?



  • My company currently has 4 offices, but will be adding dozens more over the next few years.

    I have IPsec P2Ps setup between our admin and each location which works great.
    Initially I just had the Phase 2 between the site and admin LAN subnets, but decided I wanted each site to see the other sites too. To make this happen after setting up the NAT firewall, I set the Phase 2s to 0.0.0.0/0 which did technically work, but of course all the traffic from each remote site was going over our admin connection and slowing them way down.

    So I went back and made Phase2s to point to each LAN subnet for each site which solved the speed problem, but that was a lot of work and I dread the idea of having to add each one as new offices open.

    I know I could also create P2Ps directly between each site but that would be as much work, if not more than adding the Phase 2s to the existing connection.

    Our subnet structures are

    Admin: 10.0.3.0/24
    Site A: 10.0.1.0/24
    Site B: 10.0.2.0/24
    Site C: 10.0.4.0/24
    and coming soon Site D 10.0.5.0/24

    and continuing so on and so on.

    Is there way to do something like a wild card in the Phase2 to say go to 10.0.*.0/24? or something to streamline the setup?



  • In fortigate you can setup the p2 to 0.0.0.0/0.0.0.0 at both sides of the tunnel, and lock by access rules and routes.
    Not sure if you can setup like this in the pfsense.


  • Rebel Alliance Developer Netgate

    Use VTI and, perhaps, a routing protocol such as OSPF or BGP with the FRR package.


  • LAYER 8 Netgate

    You might also consider establishing a couple of hubs so you have redundancy and connect all other sites to both of those.

    A full mesh really does not scale well.


Log in to reply