Accessing (web)server from outside from one network to another using IPSec

jonp

I do not even know how to properly name the topic for this little problem that I am having - even though I have a sneaking suspicion the solution most likely is quite simple.

Situation:
I have two local networks on two different locations. The networks are equal in the sense that they have the same type of gateway (pfsense 2.4.4 RELEASE-p3) and both have computers that communicate with each other in a very normal home-network style.

One network is, say 192.168.10.0/24 and the other is 192.168.11.0/24. They are connected with each other using IPSec and it works like a charm. I can access any computer from one network from any computer on the other network - exactly as I want it.

Both gateways are accessible from the internet through their own dedicated url/IP.

Problem:
On one of the networks I have a webserver. It is accessible by providing the correct outside url to the gateway which routes the traffic to the correct computer and the correct port. Works like a charm.

But I also want to access the same server by giving the url to the gateway on the other network. That is routing the traffic from that gateway, trough the IPSec connection to the server on the other network

What I have tried:
NAT->Port Forward - added a rule so that the traffic got routed to the correct server on the local network. It works perfectly on a server that is on the same network. I also added a rule on the other net/gateway that routed the traffic to this particular server. That did not work.

After some testing I found that I was able to ping computers on the remote network from computers on the local network, but not from the gateway.

Figuring that I had some issue with internal routing in the gateway, I tried to add another Phase 2 to the IPSec Phase 1 that used mode "Routed (VTI)" and set it up with static routing (using this guide: https://www.youtube.com/watch?v=AKMZ9rNQx7Y) . Disabling the old P2 everything seemed to work as before - traffic from on computer on one network got through to computers on the other network. But still not able to reach computers on the remote network from the gateways.

Question:
How to route traffic from the WAN on one network through IPSec to a server on another network?
More spesific: I want to access a webserver on one local network from the outside of a gateway on another local network where the local networks are connected trough IPSec?

Regards
JonP

stephenw10

You can do that if you use OpenVPN instead of IPSec.

Policy based IPSec won't work there as it would have to carry traffic from any source and hence it would carry all traffic the other way.
Route based IPSec also can't work for that as you require 'reply-to' to work in pf in order for replies to correctly go back over the VPN and that is one of the limitations on VTi currently.

Steve

JKnott

@jonp said in Accessing (web)server from outside from one network to another using IPSec:

How to route traffic from the WAN on one network through IPSec to a server on another network?

Are you pulling your DNS via the VPN? If so, just use the LAN address in the local DNS. This will provide the proper IP address, instead of using the external one.

stephenw10

I think he's saying he wants to hit the public IP at site 1, from some external IP, and have that forwarded to a server at site 2 across the VPN.

jonp

Sorry for not being able to respond to this earlier.

@stephenw10 said in Accessing (web)server from outside from one network to another using IPSec:

I think he's saying he wants to hit the public IP at site 1, from some external IP, and have that forwarded to a server at site 2 across the VPN.

As I read it, that is exactly what I am trying to achieve.

If you could broadly outline the steps i have to take, what to look out for and what has to work to achieve this functionality, I would be very thankful.

JonP

stephenw10

Set up a site-to-site OpenVPN connection.

Assign the interfaces so that you get reply-to and route-to fucntionality.

Make sure firewall rules that pass the traffic are on the assigned interfaces and NOT on the main OpenVPN tab. If it's passed on the main tab it does not get tagged reply-to.

Add the port forward on the WAN at site A to the LAN IP at site B.

High-5 whoever might be next to you!

Steve