Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec site to site with access to other sites

    Scheduled Pinned Locked Moved IPsec
    7 Posts 2 Posters 798 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mobydick426
      last edited by

      Hello,

      We have 3 sites connected with a site to site IPSec VPN. Theses sites uses :

      • Site A : 192.168.0.32/27
      • Site B : 192.168.0.0/27
      • Site C : 192.168.0.64/28

      All of these 3 sites can communicate successfully between them.

      We also have an external office connected using IPSec VPN (site to site) to Site B.

      We like to give access to all other sites by using the existing VPN to this external office (rather than creating a VPN per each other site). So our external office can access to servers on Site A and on Site C.

      We have tested using NAT/BINAT with a specific range of address, but this fail.

      How can we give/create this kind of access ?

      Hope I'm clear.... :-)

      Thanks a lot for your help.

      Regards,

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Configure the VPN for site B to Sites A and C to carry the traffic between Sites A and C and the fourth site (Site D?)

        Configure the VPN between sites B and D to carry the traffic between Site D and Sites A and C.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • M
          mobydick426
          last edited by

          Hi,

          Thanks for your reply.

          Do you mean that I need an IPSec phase 1&2 for each sites with external Office ? This is what I want to avoid...

          Sites A, B, C have a good Internet bandwidth, not external Office.

          Or there is something I don't understand.

          Thanks !

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Just Phase 2.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • M
              mobydick426
              last edited by

              Hi,

              Thanks for your help and sorry for my late reply (I'm too busy).

              (Site D naming is use for our external office.)

              I'm not sure to understand, so this is what I've done :

              On Site A:

              • IPSec VPN with site B including phase 2 for site B network access and site D.
              • Adding a static route (System | Routing) for network of site D (like I've done for network of site B).
              • Adding a rule on IPSec tab to allow traffic (with log enabled)

              On site B:

              • IPSec VPN with site A including phase 2 for site A network access (working good) and site D (I think this is necessary, no ?).
              • Adding a static route (System | Routing) for network of site D (like I've done for network of site A).
              • Adding a rule on IPSec tab to allow traffic (with log enabled)

              Can you tell me if I'm wrong or not ?

              During my tests, I can see packets from site D to site A transit in the access rule of site B. But no packets are logged on site A from site D...

              I think something is bad on my config but I can't understand what...

              Thanks !

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Please use real subnets in describing what you have put where. I can't make any sense out of site A to site b, etc.

                Maybe use this to describe what you have done:

                pfSense+VPN.png

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  You don't use static routes for IPsec unless you're using VTI.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.