How to route traffic to specific subnet via ipsec?

realtebo · Apr 21, 2023, 9:57 AM

We estabilished a phase1+phase2 ipsec with a customer
Customer's IT service garanted us comunication is estabilished, both on phase 1 and phase 2

This is 'phisical' network interfaces assignment

WAN – vtnet0 - public ip
LANCERT - vtnet1 - 1912.168.20.3/24
LANPROD - vtnet2 - 1912.168.30.3/24

Customer's target subnet is 10.68.245.200/29
Customer also asked us to present our self using ip in 10.,68.245.199/29

Actually, from pfsense shell we cannot ping 10.68.245.201, and customer's IT service guaranted it's not blocking IP until all configuration are ok.

The customer's IT service cannot see our ping at all, so I think I must ask pfsense to route traffic to 10.68.245.200 via ipsec.

The first problem is I cannot see ipsec as gatewat when trying to create a static route
Also, I cannot create a new gateway to use ipsec tunnel, because ipsec itself is not listed in the interface list.

I am missing something of course, because lack of experience in this field.. sorry, Be patient with me because I'm a programmer, not a network <something> guy. Sorry

So, one step at time.
First, narrowed question is: how to route traffic from any hosts to 10.68.245.200/29 using ipsec?

viragomann · Apr 21, 2023, 11:17 AM

@realtebo said in How to route traffic to specific subnet via ipsec?:

LANCERT - vtnet1 - 1912.168.20.3/24
LANPROD - vtnet2 - 1912.168.30.3/24
Customer also asked us to present our self using ip in 10.,68.245.199/29
First, narrowed question is: how to route traffic from any hosts to 10.68.245.200/29 using ipsec?

This is done in the phase 2.
Which subnet to you need to connect with the remote site?

E.g. for the LANCERT (192.168.20.0/24), state these network settings:
Local Network: LANCERT subnet
NAT/BINAT translation: Address > 10.68.245.199
Remote Network: Network > 10.68.245.200/29

This tranlates all requests from your site to 10.68.245.199. But access from the remote site to you is not possible, since your site is represented by a single IP. So I assume, this is not needed.

"10.68.245.199/29" is a wrong statement. This is a broadcast address. If you want to state a network on your site you would have to use a network address.

If you also need to connect LANPROD to the remote site, enter a second phase 2 or simply enlarge the local network in the existing p2 to a 192.168.16.0/20.

realtebo · Apr 21, 2023, 11:56 AM

@viragomann said in How to route traffic to specific subnet via ipsec?:

"10.68.245.199/29" is a wrong statement

Right ! Our assigned network is 10.68.245.192/29 . Sorry for tipo.

Both LAN should be able to reach customer's endpoint (to make api call).
Our webservices are publicly accessible, so no problem about this.
I try to change phase 2 configuration and I will tell you the esit.

Thanks for now !

realtebo · Apr 21, 2023, 12:11 PM

@realtebo Sorry to disturb you again

Could you do another test before of this?

Because 4 vps in the 2 lans needs to be instructed to route traffic to pfsense before they can work, I would like have pfsense itself to be able to comunicate to remote lan

I tried to NAT the WAN public IP to the first ip of our assigned network

I see no more the phase 2 "installed", but it's disconnected. Why this config, phase 2 is not able to be accepted

viragomann · Apr 21, 2023, 12:18 PM

@realtebo said in How to route traffic to specific subnet via ipsec?:

Because 4 vps in the 2 lans needs to be instructed to route traffic to pfsense before they can work

Don't the have a IP addresses within your LANs?

realtebo · Apr 21, 2023, 1:16 PM

@viragomann

pfSense has 3 network interfaces

WAN public ip address
LANPROD has a 192.168.100.0/24 address (exactly 192.168.100.3)
LANCERT has a 192.168.200.0/24 address (exactly 192.168.200.3)

I am trying assigning to WAN card a virtual ip but I don't know how to tell pfsense to use this when presenting to customer network ... and I am think thinking I am not routing packets at all through ipsec

viragomann · Apr 21, 2023, 1:01 PM

@realtebo
Not really clear to me, what you try to achieve. Do you want incoming traffic on WAN to the remote site??

WAN 127.0.0.1 "and" public ip address

127.0.0.1 is the loopback address. You cannot assign this to another interface.

realtebo · Apr 21, 2023, 1:14 PM

@viragomann said in How to route traffic to specific subnet via ipsec?:

Do you want incoming traffic on WAN to the remote site??

I enter into shell of pfSense.
I need to be able to ping 10.68.245.201
Traffic to 10.68.245.200/29 must be sent via ipsec
The server must present itself as an address of 10.68.245.192/29

viragomann · Apr 21, 2023, 1:53 PM

@realtebo
This should work anyway. It only needs a properly configured p2 with a local subnet which includes an interface IP of pfSense.