IPSec VTI Transit P2 Transit Network
-
Thought experiment, can these be anything other than a /29 network? Can I use, say, a /28 or /27 subnet for this transit network so that my multiple sites are all on the same transit network and I don't have to keep track of which P2 in my hub site is in which transit network for which P2 for the spoke site.
-
@jlw52761 Good question. I was going to post something similar to this earlier just never did. Documentation is confusing.
When setting up the VTI addresses you can use Local Network 'Network' or address. If i use Network and submit a /30 then it works. Use 'Address' than it works. So not really sure if it matters all that much.To your point, I think each IPsec tunnel is Point2Point - Hub and Spoke would be the only logical topology that could be created short of a DMVPN type which isnt supported as far as i know on PFsense.
-
@michmoor DMVPN would be nice, save me from creating multiple P2's at every site, but I'm ok with doing Hub and Spoke instead of a full MESH.
The reason for asking is that I have three sites, one site with two HA firewalls, so in my Hub site, which has one firewall, I have to have this confusing mapping of P2 addresses for my Hub firewall, and trying to remember which one belongs to which /30 get's very confusing at times and has led to issues. So, having my firewall as 192.168.0.1/28, then each of the firewalls could have the next IP in line and all reference 192.168.0.1 as the remote in the P2 is nice, or should I just set all P2's to use the remote network of 192.168.0.0/28 and then just the local Address being 192.168.0.1/28, 192.168.0.2/28, etc. This sounds like it would be close to DMVPN, so probably won't work, but I can test. -
@jlw52761 Please test. Im curious if this is possible.