• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

IPSec Phase 2 Allowing Wrong Subnets?

Scheduled Pinned Locked Moved IPsec
1 Posts 1 Posters 391 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    planedrop
    last edited by Jan 14, 2023, 4:59 AM

    I think the best way to explain this is to say exactly what happened, as I feel I'm misunderstanding something about how Phase 2 is setup.

    Site to Site VPN
    Phase 2 entries for Site A:
    192.168.10.0/24 to 192.168.20.0/24 and 192.168.25.0/24
    192.168.100.0/24 to 192.168.20.0/24

    Site B:
    192.168.20.0/24 to 192.168.10.0/24
    192.168.25.0/24 to 192.168.10.0/24 and 192.168.100.0/24

    Now what I'm confused about here is that I made a mistake, but things still worked when they should not have. With this config I was somehow able to access the 192.168.25.0/24 network FROM the 192.168.100.0/24 network, in theory this should not have been possible. I accidentally typed in the wrong subnet when setting this up, the firewall rules are correct on both sides.

    But with this config, pfsense never should have known to route the 192.168.100.0/24 networks traffic over to 192.168.25.0/24 on the other site, there was never a phase 2 made for that.

    Is it combining phase 2s? And if so is that standard practice? Seems very odd to me. What am I misunderstanding?

    1 Reply Last reply Reply Quote 0
    1 out of 1
    • First post
      1/1
      Last post
    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
      This community forum collects and processes your personal information.
      consent.not_received