Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec on three sites with intermediate tunnel

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 772 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L Offline
      lperez
      last edited by

      Hi folks:

      I've three networks configured on three remote sites defined as:
      Site A: 10.69.0.0/16 (pfsense)
      Site B: 10.68.0.0/16 (pfsense)
      Cloud: 10.70.0.0/16

      I've configured below IPSec IkeV2 tunnels (all route based)
      Site A <---ipsec ---> Site B
      Site A <---ipsec ---> Cloud

      As Site B has not a public IP address, I can not set up a tunnel between Cloud and Site B because cloud provider doesn't allow me to set 0.0.0.0/0 as remote peer address.

      What I'm trying is to do is address all the traffic using Site A as intermediate tunnel to reach Cloud from Site B and Site B from Cloud.
      Cloud <--- Site A ----> Site B

      I've tried lot of things such creating additional phase 2 connections on three sides without success so I suppose that there's something that I'm missing.

      I will really appreciate if somebody could bring me any idea.
      Thanks in advance.
      L!

      1 Reply Last reply Reply Quote 0
      • L Offline
        lperez
        last edited by

        My first idea was:

        On site A:
        Phase 1 between Cloud <--> Site A
        Phase 2a: local network 10.69.0.0/16 | remote network 10.70.0.0/16
        Phase 2b: local network 10.68.0.0/16 | remote network 10.70.0.0/16

        Phase 1 between Site A <--> Site B
        Phase 2a: local network 10.69.0.0/16 | remote network 10.68.0.0/16
        Phase 2b: local network 10.70.0.0/16 | remote network 10.68.0.0/16

        On site B:
        Phase 1 between Site B <--> Site A
        Phase 2a: local network 10.68.0.0/16 | remote network 10.69.0.0/16
        Phase 2b: local network 10.68.0.0/16 | remote network 10.70.0.0/16

        On Cloud:
        Phase 1 between Site A <--> Cloud
        Phase 2a: local network: 10.70.0.0/16 | remote network 10.69.0.0/16
        Phase 2b: local network 10.70.0.0/16 | remote network 10.68.0.0/16

        As was mentioned on my previous post, that configuration was not working, but I'm not sure which is the reason, maybe this concept is wrong or maybe if I'm missing any config (such routes, gateways, firewall rules) etc...

        Notice that except Site B <--> Cloud all other connections are working.

        At this point I'll really appreciate any help :)
        Thanks again

        V 1 Reply Last reply Reply Quote 0
        • V Offline
          viragomann @lperez
          last edited by

          @lperez
          It should work with These settings though.
          The routing is done by IPSec. You only need Propst firewall Rules on the IPSec Tab to allow the traffic.

          1 Reply Last reply Reply Quote 1
          • L Offline
            lperez
            last edited by

            @viragomann++ Thanks for your reply.

            You where right, I was missing firewall rules Site A (intermediate hop)

            Now I've the hop tunnel working.

            Thanks again.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.