Why cant i reach devices in an IPSec network from another IPSec network?



  • Hi,
    We use psSense at our office and have connected some customer site's via ipSec with our network(s). One of our employees works from another site and also users ipSec to connect to our office.

    Some network details:
    Our office network(s): 10.128.x.y/24 (pfSense on a bare metal server)
    ipSec networks: 10.130.x.y/24 (mostly Ubiquiti Edgerouter X's)

    We should be able to and can directly access all ipSec site's and their devices from our office networks. Some customers are allowed to access our office networks which also works fine after i configured a firewall rule for it on the IPSec tab.

    As one of our employees works from his home, he also got an Edgerouter with ipSec.
    He can also access our internal networks when we configure a firewall rule for it but he can't access the other ipSec networks. In contrast to customer site's he should be able to access customer (IPSec) site's as well to do some maintenance, service and monitoring. How can i achieve this? I suppose that i need to set a route in his Edgerouter like 10.130.0.0/16 via 10.130.10.1 (pfSense) or something? Maybe i need to set a firewall rule in the customers Edgerouters to allow traffic from other 10.130 networks ? Do i need to configure something in pfSense like route's or gateways?

    I tested and experimented with this a few hours but cant get it working as i don't really have an idea what i actually need to configure. Can someone help me out by tell me what needs to be configured to get it working? I'm not specifically looking for a detailed how to about the Edgerouter or something (as this is a pfSence forum). I asked this question here as pfSence is the "linking part" between the networks. I think a listing with things i need to configure wil already guide me in the right direction, if not, i will simply ask for details about the part is don't get ;)

    If more info is required to answer the question, let me know whats missing and i will add the missing details.
    Thanks in advance!


  • Netgate Administrator

    With policy based IPSec you will need phase 2 policies carry the traffic he is sending and you probably don't right now.

    For example if his subnet is 10.130.100.0/24 he probably has a P2 on his tunnel that is:
    10.130.100.0/24 to 10.128.0.0/16

    That will grab any traffic coming from hos local subnet destined for you office networks and send it over the tunnel.

    But if he tries to access another remote site, say 10.130.200.0/24, that traffic will be ignored as it's not covered by the policy.

    To connect between spokes in a hub and spoke design like that you need P2 policies on each tunnel to carry it. So for that example the remote worker would need a P2 on his tunnel:
    10.130.100.0/24 to 10.130.200.0/24

    And the remote site he'd connecting to would need:
    10.130.200.0/24 to 10.130.100.0/24

    That escalates quickly if you need to connect between a lot of sites.

    It's much easier if you have route a based VPN like OpenVPN or VTI (route based IPSec). But that would require changing all the tunnels.

    You could proxy the traffic on your office network somehow so his traffic appears to be coming from there.

    You could setup an OpenVPN server for this one worker (or more remote support staff). If you choose a tunnel subnet that is inside 10.128.0.0/16 then the existing IPSec tunnels will already carry that traffic.

    Steve


Log in to reply