IPSec on three sites with intermediate tunnel
-
Hi folks:
I've three networks configured on three remote sites defined as:
Site A: 10.69.0.0/16 (pfsense)
Site B: 10.68.0.0/16 (pfsense)
Cloud: 10.70.0.0/16I've configured below IPSec IkeV2 tunnels (all route based)
Site A <---ipsec ---> Site B
Site A <---ipsec ---> CloudAs Site B has not a public IP address, I can not set up a tunnel between Cloud and Site B because cloud provider doesn't allow me to set 0.0.0.0/0 as remote peer address.
What I'm trying is to do is address all the traffic using Site A as intermediate tunnel to reach Cloud from Site B and Site B from Cloud.
Cloud <--- Site A ----> Site BI've tried lot of things such creating additional phase 2 connections on three sides without success so I suppose that there's something that I'm missing.
I will really appreciate if somebody could bring me any idea.
Thanks in advance.
L! -
My first idea was:
On site A:
Phase 1 between Cloud <--> Site A
Phase 2a: local network 10.69.0.0/16 | remote network 10.70.0.0/16
Phase 2b: local network 10.68.0.0/16 | remote network 10.70.0.0/16Phase 1 between Site A <--> Site B
Phase 2a: local network 10.69.0.0/16 | remote network 10.68.0.0/16
Phase 2b: local network 10.70.0.0/16 | remote network 10.68.0.0/16On site B:
Phase 1 between Site B <--> Site A
Phase 2a: local network 10.68.0.0/16 | remote network 10.69.0.0/16
Phase 2b: local network 10.68.0.0/16 | remote network 10.70.0.0/16On Cloud:
Phase 1 between Site A <--> Cloud
Phase 2a: local network: 10.70.0.0/16 | remote network 10.69.0.0/16
Phase 2b: local network 10.70.0.0/16 | remote network 10.68.0.0/16As was mentioned on my previous post, that configuration was not working, but I'm not sure which is the reason, maybe this concept is wrong or maybe if I'm missing any config (such routes, gateways, firewall rules) etc...
Notice that except Site B <--> Cloud all other connections are working.
At this point I'll really appreciate any help :)
Thanks again -
@lperez
It should work with These settings though.
The routing is done by IPSec. You only need Propst firewall Rules on the IPSec Tab to allow the traffic. -
@viragomann++ Thanks for your reply.
You where right, I was missing firewall rules Site A (intermediate hop)
Now I've the hop tunnel working.
Thanks again.