Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Route traffic throught a site-to-site ipsec

    Scheduled Pinned Locked Moved
    Routing and Multi WAN
    ipsec routing
    2
    11
    171
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      viragomann @albertcd
      last edited by

      @albertcd
      I guess, it's a policy-based IPSec. If so your only one option is to route the whole upstream traffic from B to A.
      It's not possible to route certain destinations with that.

      This would work with VTI IPSec, OpenVPN or Wireguard, however.

      A 1 Reply Last reply Reply Quote 0
      • A
        albertcd @viragomann
        last edited by

        @viragomann
        Thanks you viragomann.
        Then the options can be:

        1. Add 0.0.0.0/0 in phase 2?
        2. Can i add 7 phase 2 and in Remote IP put the public ip address i want to reach?

        It's correct?
        Thanks u

        V 1 Reply Last reply Reply Quote 0
        • V
          viragomann @albertcd
          last edited by viragomann

          @albertcd said in Route traffic throught a site-to-site ipsec:

          Add 0.0.0.0/0 in phase 2?
          Can i add 7 phase 2 and in Remote IP put the public ip address i want to reach?

          Yes, both are possible, presumed it is accepted by the remote site.
          It should be sufficient to have only a single phase 2 there with 0.0.0.0/0 as local network. But this is on the IPSec implementation of the certain device. Some insists on equal phase 2 on both sites.

          A 1 Reply Last reply Reply Quote 0
          • A
            albertcd @viragomann
            last edited by

            @viragomann
            If i put 0.0.0.0/0 in Phase 2, can i set a rule to pass only the ip addresses i want through the tunnel?
            Thanks u

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @albertcd
              last edited by

              @albertcd
              No, if you set 0.0.0.0/0 at site B all traffic is routed over the VPN. If you only pass certain destination IPs, the rest ist blocked.

              A 1 Reply Last reply Reply Quote 0
              • A
                albertcd @viragomann
                last edited by

                @viragomann
                Then i think the best solution is create 7 phases 2, for example:

                Phase 2 for local subnet:

                Local: 192.168.50.0/24
                Remote: 192.168.100.0/24

                Phase 2 for public ip address (one phase 2 for each ip address)

                Local: 192.168.50.0/24
                Remote: 80.80.80.80/32

                Is correct?

                V 1 Reply Last reply Reply Quote 0
                • V
                  viragomann @albertcd
                  last edited by

                  @albertcd
                  Yes, but as I said, site A has to accept all settings. Which means, you either have to create all phase 2 on A as well or changing the local network in the existing one to 0.0.0.0/0 and see if it works.

                  A 1 Reply Last reply Reply Quote 0
                  • A
                    albertcd @viragomann
                    last edited by

                    @viragomann said in Route traffic throught a site-to-site ipsec:

                    Yes, but as I said, site A has to accept all settings. Which means, you either have to create all phase 2 on A as well or changing the local network in the existing one to 0.0.0.0/0 and see if it works.

                    Reply

                    Then, if in Site A i change the phase 2 to 0.0.0.0/0 and in site B only created these:

                    Phase 2 for local subnet:

                    Local: 192.168.50.0/24
                    Remote: 192.168.100.0/24

                    Phase 2 for public ip address (one phase 2 for each ip address)

                    Local: 192.168.50.0/24
                    Remote: 80.80.80.80/32

                    It should work?
                    Thanks you for your help!

                    V 1 Reply Last reply Reply Quote 0
                    • V
                      viragomann @albertcd
                      last edited by

                      @albertcd
                      It depends on the site A router. It would work if there is a pfSense, but certain other require, that all phase 2 match.
                      So just try it out.

                      A 1 Reply Last reply Reply Quote 0
                      • A
                        albertcd @viragomann
                        last edited by

                        @viragomann
                        It’s a Cisco Meraki the router Site A!
                        But, i’m thinking now:
                        The traffic should be routed to 192.168.100.222, not for the gateway 192.168.100.1 (this is the router with the VPN tunnel).
                        In the 100.1 router have static routes for route the traffic specified throught the 100.222
                        Is it the same solution (change phase 2 to 0.0.0.0/24)???
                        Thanks again

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post