How to build IPSec S2S VPN with multiple subnets/hosts on both sides?

joeytian · Jun 17, 2022, 2:06 PM

Like site A has 10+ subnets/hosts and site B also have 10+ subnets/hosts, how to build the VPN tunnel?

Usually if 1 subnet/host vs 1 subnet/host, it is easy, just one phase II subtunnel.
If 1 vs 2, we need to build two subtunnels to match site B.
If 2 vs 2, we need to build four subtunnels to match both sides.
...
Anyway we need full mesh for subtunnels.

In Cisco, I can use two network group to contain 10+ subnets/hosts for both sides, so still one subtunnel.
I am trying to do the same way in pfSense, but I can NOT use Alias in phase II subtunnel, so how do I accomplish it? Thanks.

gabacho4 · Jun 17, 2022, 2:16 PM

@joeytian I’d personally use a VTI IPSec tunnel. Create the P1, create one tunnel P2 and then use PBR and static routes or OSPF for the routing. Super convenient and scales very well. Traditional policy IPSec sucks once you’ve used VTI

gabacho4 · Jun 17, 2022, 2:21 PM

@joeytian if your subnets on each side are within one range, for example 10.10.[1-254].0/24 on one side and 10.20.[1-254].0/24 on the other, I’d bet you could also create a p2 using 10.10.0.0/16 and 10.20.0.0/16 and that would cover everything. Your ranges may differ of course. You could use firewall rules to further refine exactly what is allowed over using an appropriate alias(es). I’ve never done this but now you’ve piqued my curiosity.

stephenw10 · Jun 17, 2022, 2:25 PM

If you are using pfSense on both sides as long as you're using IKEv2 and do not set 'split connections' it will do this by default.
You will see one childSA created for all defined subnets on each side and it will carry traffic between any of them.

But, yeah, I would probably use route mode IPSec (VTI) also. Logically easier to define.

Steve