Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to access IPSec site A from IPSec site B via the office network (no direct site-to-site between A and B)

    Scheduled Pinned Locked Moved
    IPsec
    1
    2
    200
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • CodeNinjaC
      CodeNinja
      last edited by

      Our main (office) network managed located in Germany and managed by pfSense. We also have a lot of customer locations connected to our network. Each customer site is connected with IPSec through an Ubiquiti Edgerouter which is always placed behind another router (So behind NAT) We have only control over the Ubiquiti Edgerouter part of the network. For this reason, the connection is initiated by the Edgerouter and the required ports are opened on out office site.

      In some cases we need to be able to send traffic from one IPSec site to another. One example is our office in Greece. As all these site's (including the office in greece) are connected with our main office, we want to route the traffic between IPSec sites via our office. I have tried to get this done with the knowledge i have but was not able to get it working. Unfortunately i was aslo not able to find how to configure this with Googles help as i actually have no real idea what needs to be configured.

      Another reason why we want to route the traffic via our office is that we sometimes need to connect 2 customer site's to each other where we have no ability to open ports.

      Can someone explain me what needs to be configured "connect" 2 IPSec site's the way i just described so not directly with eachother but via our office? Thanks in advance about that!
      I don't think it has an added value to add my pfSense config but when details about my current configuration are required, just let me know and i will add the missing information.

      1 Reply Last reply Reply Quote 0
      • CodeNinjaC
        CodeNinja
        last edited by CodeNinja

        UPDATE:
        I think it may good to know that each IPSec network has its own ip range, 10.130.x.0/24 where x is unique for each site. The phase 2 are currently running in "Tunnel IPv4" modus. When possible, we want to keep using 1 network for each site. I mean, not 1 network for router-to-router and another one for the network of the site them selve. I'm not sure if this is possible as i may need to change the IPsec P2 mode???

        An example of my IPSec configuration which is similar for each site.
        IPSec examples.txt

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.