Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Phase 2 Allowing Wrong Subnets?

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 413 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • planedropP
      planedrop
      last edited by

      I think the best way to explain this is to say exactly what happened, as I feel I'm misunderstanding something about how Phase 2 is setup.

      Site to Site VPN
      Phase 2 entries for Site A:
      192.168.10.0/24 to 192.168.20.0/24 and 192.168.25.0/24
      192.168.100.0/24 to 192.168.20.0/24

      Site B:
      192.168.20.0/24 to 192.168.10.0/24
      192.168.25.0/24 to 192.168.10.0/24 and 192.168.100.0/24

      Now what I'm confused about here is that I made a mistake, but things still worked when they should not have. With this config I was somehow able to access the 192.168.25.0/24 network FROM the 192.168.100.0/24 network, in theory this should not have been possible. I accidentally typed in the wrong subnet when setting this up, the firewall rules are correct on both sides.

      But with this config, pfsense never should have known to route the 192.168.100.0/24 networks traffic over to 192.168.25.0/24 on the other site, there was never a phase 2 made for that.

      Is it combining phase 2s? And if so is that standard practice? Seems very odd to me. What am I misunderstanding?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.