Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC internet conection by tunnel

    IPsec
    2
    13
    1.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      atreyumu
      last edited by

      Hello.
      I have an IPsec VPN tunnel and I would like to configure it so that the computers that I have in one of the sites (site B) go to the internet through the connection of site A.
      How could I do it?

      G 1 Reply Last reply Reply Quote 0
      • G
        gabacho4 Rebel Alliance @atreyumu
        last edited by

        @atreyumu give this a read. Pretty simple setup for this to work.

        https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-s2s-route-internet-traffic.html

        A 1 Reply Last reply Reply Quote 1
        • A
          atreyumu @gabacho4
          last edited by

          @gabacho4 Thanks.
          I have carried out all the steps but I cannot go to the internet from site A, through the IP of site B (according to the manual)
          How could I do it?

          G 1 Reply Last reply Reply Quote 0
          • G
            gabacho4 Rebel Alliance @atreyumu
            last edited by gabacho4

            @atreyumu I’ve followed those instructions few times and it’s always worked for me. Did you create an outbound NAT rule on the B side for side A IP subnet? In your P2 settings did you set site A remote network to 0.0.0.0/0 and site B local network to 0.0.0.0/0. To further troubleshoot, will need you to post screenshots of your P1 and P2 settings for both sides, as well as firewall rules and NAT rules on side B through which the internet is supposed to be accessed.

            A 1 Reply Last reply Reply Quote 0
            • A
              atreyumu @gabacho4
              last edited by atreyumu

              @gabacho4
              Site A
              1d8de723-9822-4878-bb8f-b067b74feb2a-image.png

              Site B
              6ac364ab-c29e-446f-9c5d-15391b208e61-image.png
              586edb71-5e3a-4ef4-a529-d8d7f82f7b87-image.png
              a65592bd-b500-43a4-8142-8e4c8237e836-image.png

              G 1 Reply Last reply Reply Quote 0
              • G
                gabacho4 Rebel Alliance @atreyumu
                last edited by

                @atreyumu ok so right away, it should be 0.0.0.0/0 not 0.0.0.0/24. Change that. Need to see the firewall rule for side A as well. Everything else looks good. You can get getter performance using GCM ciphers btw but that’s an optimization thing more than an actual connectivity issue. Make the change to 0.0.0.0/0 in both sides and make sure the firewall rule for A and B sides is a permit all and things should connect based on what I see.

                A 1 Reply Last reply Reply Quote 1
                • A
                  atreyumu @gabacho4
                  last edited by atreyumu

                  @gabacho4 Thank you!!
                  It worked!!!
                  With this configuration, would it be possible to connect Site A computers to a Site B Windows domain?

                  G 1 Reply Last reply Reply Quote 0
                  • G
                    gabacho4 Rebel Alliance @atreyumu
                    last edited by

                    @atreyumu that’s something I personally haven’t tried but I would guess it should be doable?? I did find the following thread which indicates you should be able to.

                    https://forum.netgate.com/topic/110066/site-to-site-vpn-works-but-can-t-join-domain-on-other-side

                    Can’t recommend a good Google search enough for a lot of things as you are most definitely not the first to want to try something new.

                    Perhaps there is someone smarter than me on that particular matter who can provide more details.

                    A 1 Reply Last reply Reply Quote 0
                    • A
                      atreyumu @gabacho4
                      last edited by

                      @gabacho4 Thanks so much. Iĺl looking more info about this.

                      A 1 Reply Last reply Reply Quote 0
                      • A
                        atreyumu @atreyumu
                        last edited by

                        @atreyumu Hi. If I wanted only one host on the LAN to go to the internet through the tunnel, should I only switch outbound

                        G 1 Reply Last reply Reply Quote 0
                        • G
                          gabacho4 Rebel Alliance @atreyumu
                          last edited by gabacho4

                          @atreyumu believe you’d create a firewall rule that would allow the desired IP through but nothing else. The key with IPSec is that access is controlled by the firewall rules on the other side. So if you want a side A device to pass through side B, the firewall rule to permit that is created on side B.

                          Edit: my rule would be something like “deny all if source !<desired side A IP> to any destination”

                          Edit 2: rereading your post, I may have misunderstood. If all you want is the one IP to have internet access, but all other IPs to transit the IPSec connection, then yes, just change your outbound NAT rule to reflect the specific IP instead of the whole subnet.

                          A 1 Reply Last reply Reply Quote 0
                          • A
                            atreyumu @gabacho4
                            last edited by

                            @gabacho4 the problem is that it does not let me indicate only a host, if not a network
                            c73c8a81-75c4-4b92-a37d-22c8f849c579-image.png

                            G 1 Reply Last reply Reply Quote 0
                            • G
                              gabacho4 Rebel Alliance @atreyumu
                              last edited by

                              @atreyumu interesting. I wonder if it works if you leave it as network but then put in the device IP address with a /32. Basically you’re saying let out this network of 1 device. I’d have to dig around a bit if that doesn’t work. @jimp seems to be the IPSec guru on the Netgate side but can’t speak to his availability/interest in commenting. He keeps himself busy from what I see.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.