Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec phase 2 to an IP Range

    IPsec
    2
    5
    900
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      PhlMike
      last edited by

      I have to pass a set of IP's from one network to another without opening up the entire network. For example. I have these workstations on the regular lan that need to access the lan of a remote site, but I don't want the entirety of the local lan of site A to see site B.

      Set say site A is 10.50.0.0/23, pfSense at 10.50.0.1, desktops in question are static at 10.50.0.90-99 and that needs to see 10.51.0.0/23.

      Granted, I could firewall it, but since both locations have 5 IPSec tunnels each and at least 4 of them need ipv4 any all * type stuff, it goes from a single record proposition to a 6 record ordeal.

      Not sure I can CIDR it either. I would need two /29s to cover it and then some and I am unsure of it would work.

      R 1 Reply Last reply Reply Quote 0
      • R
        rolytheflycatcher @PhlMike
        last edited by

        I'm not 100% sure this will work, but have you tried adding each of the PCs as a separate /32 address? I have the reverse scenario where I have a VPN connection to a remote server where the remote address is specified as a /32.

        Otherwise I think you would be able to do two /29 blocks - x.88/29 and x.96/29, although obviously any other device within those blocks would also gain access.

        Or, would a floating firewall rule set help simplify things? In case you don't know, you can also create a single alias which can include all of the PC IP addresses.

        P 1 Reply Last reply Reply Quote 0
        • P
          PhlMike @rolytheflycatcher
          last edited by

          @rolytheflycatcher
          I have an Alias of static IP computers that should have access to our network management VLAN at the office which houses vCenter, sans. switches, etc... We also have racks at a datacenter in the city which has a "core" firewall that houses it's network management which is just an SG3100 which also has SANs and a VMware cluster. I may do the /29's to see if that works and then I can try an bolster it I guess with a deny inverse AllowedIPs . Maybe that will be enough.

          1 Reply Last reply Reply Quote 0
          • P
            PhlMike
            last edited by

            OK - That worked.

            Two /29 Phase 2's isn't super elegant, but it is better than having 10. I guess I could have done the full /23, but the more locked down the better IMHO.

            I guess that is an interesting discussion, if any cyber security experts want to weigh in.

            R 1 Reply Last reply Reply Quote 0
            • R
              rolytheflycatcher @PhlMike
              last edited by

              @phlmike you can probably add each PC with a /32, which might 'read' more elegantly than the two /29.

              I'm also wondering if the Alias you have already created could be utilised in the phase 2 declaration for this purpose. Never tried it.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.