IPsec communication between site A and C through site B (Hub and Spoke)

filipe_soares

Hey everyone, I need some help with IPsec configuration.

I have the following scenario
Site A - 172.18.0.0/24 Pfsense 2.7.0
Site B - 172.16.0.0/16 Pfsense 2.4.5-Release-p1
site C - 192.168.61.0/24 Pfsense 2.5.0

The configuration and communication between site B to A and B to C are fine, working perfecly.
But now, I need to configure the communication between A to C passing through B.
I already try a few things such as:

Site A
IPsec AxB
Declared on the fase 2 tunnel the local subnet: 172.18.0.0/24 to remote subnet: 192.168.61.0/24

Add a rule in firewall rules > IPsec allowing source 192.168.61.0/24 to destination 172.18.0.0/24
Add a rule in firewall rules > LAN allowing source 192.168.61.0/24 to destination 172.18.0.0/24 and vice-versa
Add static route in System > Routing > Static Routes from network 192.168.61.0/24 to gateway 172.18.0.1

Site B
IPsec BxA
Declared on the fase 2 tunnel the local subnet: 192.168.61.0/24 to remote subnet: 172.18.0.0/24

IPsec BxC
Declared on the fase 2 tunnel the local subnet: 172.18.0.0/24 to remote subnet: 192.168.61.0/24

Add a rule in firewall rules > IPsec allowing any source to any destination.

Site C
IPsec CxB
Declared on the fase 2 tunnel the local subnet: 192.168.61.0/24 to remote subnet: 172.18.0.0/24

Add a rule in firewall rules > IPsec allowing source 172.18.0.0/24 to destination 192.168.61.0/24
Add a rule in firewall rules > LAN allowing source 172.18.0.0/24 to destination 192.168.61.0/24 and vice-versa
Add static route in System > Routing > Static Routes from network 172.18.0.0/24 to gateway 192.168.61.1

After all this configuration the fase 2 IPsec still not connect in the both sites.
I saw something about one-to-one NAT but I don't know if this is the way to solve this puzzle.

Any ideas will be greatly appreciated
Warm Regards

keyser

@filipe_soares Well, it should be possible to get that working, but you may need to enable “split connections” on the phase one settings as your Site B is a VERY VERY old pfSense.

Couple of remarks:
In site A: you only need source 172.18.xxx and dest. 192.168.xxx on LAN - not the vice versa rule (it has no effect)
In site C: Likewise but the other way around

EDIT: You need to remove the static routes - they are both wrong, and also not needed when you are doing policy routing.

Any reason youre not just creating a tunnel directly between site A and C?

filipe_soares

Thanks for the anwser @keyser

I checked here that the "Split connections" option just appear with IKEv2 only, in my case the IPsec configuration is working with IKEv1. So I will need to try this out of the company working hour.

About creating IPsec tunnel from A to C, it has a few reasons, one is that the site B is the main core so we centralized all the configuration there, and to be honest my real scenario have more than 3 spokes so create a lot of new IPsec tunnels on site A will transform this firewall in a second core.

Anyway, thanks for the help, I will read more about it and try enable this option to check if works.