IPSec Phase 2 Allowing Wrong Subnets?
-
I think the best way to explain this is to say exactly what happened, as I feel I'm misunderstanding something about how Phase 2 is setup.
Site to Site VPN
Phase 2 entries for Site A:
192.168.10.0/24 to 192.168.20.0/24 and 192.168.25.0/24
192.168.100.0/24 to 192.168.20.0/24Site B:
192.168.20.0/24 to 192.168.10.0/24
192.168.25.0/24 to 192.168.10.0/24 and 192.168.100.0/24Now what I'm confused about here is that I made a mistake, but things still worked when they should not have. With this config I was somehow able to access the 192.168.25.0/24 network FROM the 192.168.100.0/24 network, in theory this should not have been possible. I accidentally typed in the wrong subnet when setting this up, the firewall rules are correct on both sides.
But with this config, pfsense never should have known to route the 192.168.100.0/24 networks traffic over to 192.168.25.0/24 on the other site, there was never a phase 2 made for that.
Is it combining phase 2s? And if so is that standard practice? Seems very odd to me. What am I misunderstanding?