How to configure 3 tunnels on 3 different sites with 3 pfsense
-
I tried to configure 3 pfsense on different location in VPN. But the problem is that I can establish VPN tunnel only between two the third one is always yellow. When I try to make a tunnel between any of two points I manage to establish VPN tunnel.
Scenario:
Site 1:ย LAN-10.180.10.0/24-WAN-dynamic
-policy VPN-Site1 to Site2
-policy VPN-Site1 to Site3
Site 2:ย LAN-10.180.20.0/24-WAN-dynamic
-policy VPN-Site2 to Site1
Site 3:ย LAN-10.180.30.0/24-WAN-dynamic
-policy VPN-Site3 to Site1Help please.
-
http://rolfsa.blogspot.com/2009/07/basic-pfsense-to-pfsense-ipsec-tunnel.htm
this is good example โฆ.
-
Unless you have used supernetting (CIDR summarization) or multiple tunnels for each subnet, in your layout, site 2 cannot talk to site 3.
You should either switch to a layout where they all have tunnels to each other (1->2,3; 2->1,3; 3->1,2) or switch to OpenVPN instead and you can route any way you like.
I use the mesh topology I described above for a customer that interlocks 8 sites and it works well.
-
Does anyone have some guides/examples on how to do multiple sites-to-sites with OpenVPN?
It also did it with IPSEC tunnels on 3 sites with a LAN and DMZ each, and sure makes a lot of combinations to get it all working - all sites should be able to reach LAN and DMZ on all other sites.
Thanks
-
Does anyone have some guides/examples on how to do multiple sites-to-sites with OpenVPN?
I'm not sure anything has been formally written up on this scenario. Are you talking about having them all connect directly to each other, or route via a central location?
I've done it where they all route centrally, and it works really well. I could probably write something up, if I have time.
-
I would like the site to take a direct way if possible - I have it working with three sites, but is a pain to configure :)
So was looking for an alternative way - and OpenVPN can do it? (I am trying to mimic a setup based on Cisco RemoteVPN, and is quite sure is using some thing more clever way - 10 sites with multiple DMZs)
Thanks
-
There is probably no easy way to pull that off with all sites interconnected.
No matter what you do it's messy: You could do static key site-to-site, which is just as ugly as site-to-site IPsec, or every site is a SSL PKI server and a client to all others, which would be a nightmare to manage, key-wise. (not to mention a pill to setupโฆ)
-
Damn :(
So if each site has a OpenVPN server, and each site also has OpenVPN clients to all the other sites, I could then push out the routing for the DMZ/Optional networks on each site?
Thanks
-
If you do a PKI setup, you can push routes. If you do a site-to-site, the routes must be set manually on both ends.
-
Hi
I am trying to make multiple site-2-site setup based on 3 sites so that all connects to each other, and have been looking at some guides on site-2-site, but I don't understand the "Remote Network" when I create the server part.
1. I thought that my site A should have a openvpn server running
2. My two other sites - site B and site C would connect to site A as a OpenVPN Clients
3. And my two other sites also should have an OpenVPN server (and clients on the other sites)So what should the "Remote network" be on sita A?
Thanks again
-
Or should I use "Remote Access" when connection multiple sites - instead of a "peer-2-peer"?
Thanks
-
So what should the "Remote network" be on sita A?
You can leave that blank, or put in either site B or site C. You'll need a route for both sites in the custom options, and the Remote Network just does a route statement behind the scenes for you. If you fill in B, then you'll still need a custom route statement for C, and vice versa.
If you are doing a PKI (remote access) setup, you'll also need to make a CSC entry for the CN of both site B and C, with an iroute statement in its custom options.
That is probably the better way to handle setting up a multi-site "star" layout. peer-to-peer would be better for making individual tunnels between each site that only have one connection per tunnel.
-
Got it - will try both options :)
And thanks for a FAST reply :)
-
One more thing "Inter-client communication" - would that allow site B and site C to talk to each other? - but routed through site A I guess?
-
Correct. With a PKI setup you need that option ticked so the B can reach C via A.
