Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to configure 3 tunnels on 3 different sites with 3 pfsense

    Scheduled Pinned Locked Moved IPsec
    15 Posts 4 Posters 7.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Piplfox
      last edited by

      I tried to configure 3 pfsense on different location in VPN. But the problem is that I can establish VPN tunnel only between two the third one is always yellow. When I try to make a tunnel between any of two points I manage to establish VPN tunnel.
      Scenario:
      Site 1:ย  LAN-10.180.10.0/24-WAN-dynamic
      -policy VPN-Site1 to Site2
      -policy VPN-Site1 to Site3
      Site 2:ย  LAN-10.180.20.0/24-WAN-dynamic
      -policy VPN-Site2 to Site1
      Site 3:ย  LAN-10.180.30.0/24-WAN-dynamic
      -policy VPN-Site3 to Site1

      Help please.

      1 Reply Last reply Reply Quote 0
      • M
        mst
        last edited by

        http://rolfsa.blogspot.com/2009/07/basic-pfsense-to-pfsense-ipsec-tunnel.htm

        this is good example โ€ฆ.

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          Unless you have used supernetting (CIDR summarization) or multiple tunnels for each subnet, in your layout, site 2 cannot talk to site 3.

          You should either switch to a layout where they all have tunnels to each other (1->2,3; 2->1,3; 3->1,2) or switch to OpenVPN instead and you can route any way you like.

          I use the mesh topology I described above for a customer that interlocks 8 sites and it works well.

          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • F
            FlexyZ
            last edited by

            Does anyone have some guides/examples on how to do multiple sites-to-sites with OpenVPN?

            It also did it with IPSEC tunnels on 3 sites with a LAN and DMZ each, and sure makes a lot of combinations to get it all working - all sites should be able to reach LAN and DMZ on all other sites.

            Thanks

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              @FlexyZ:

              Does anyone have some guides/examples on how to do multiple sites-to-sites with OpenVPN?

              I'm not sure anything has been formally written up on this scenario. Are you talking about having them all connect directly to each other, or route via a central location?

              I've done it where they all route centrally, and it works really well. I could probably write something up, if I have time.

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • F
                FlexyZ
                last edited by

                I would like the site to take a direct way if possible - I have it working with three sites, but is a pain to configure :)

                So was looking for an alternative way - and OpenVPN can do it? (I am trying to mimic a setup based on Cisco RemoteVPN, and is quite sure is using some thing more clever way - 10 sites with multiple DMZs)

                Thanks

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  There is probably no easy way to pull that off with all sites interconnected.

                  No matter what you do it's messy: You could do static key site-to-site, which is just as ugly as site-to-site IPsec, or every site is a SSL PKI server and a client to all others, which would be a nightmare to manage, key-wise. (not to mention a pill to setupโ€ฆ)

                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • F
                    FlexyZ
                    last edited by

                    Damn :(

                    So if each site has a OpenVPN server, and each site also has OpenVPN clients to all the other sites, I could then push out the routing for the DMZ/Optional networks on each site?

                    Thanks

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      If you do a PKI setup, you can push routes. If you do a site-to-site, the routes must be set manually on both ends.

                      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • F
                        FlexyZ
                        last edited by

                        Hi

                        I am trying to make multiple site-2-site setup based on 3 sites so that all connects to each other, and have been looking at some guides on site-2-site, but I don't understand the "Remote Network" when I create the server part.

                        1. I thought that my site A should have a openvpn server running
                        2. My two other sites - site B and site C would connect to site A as a OpenVPN Clients
                        3. And my two other sites also should have an OpenVPN server (and clients on the other sites)

                        So what should the "Remote network" be on sita A?

                        Thanks again

                        1 Reply Last reply Reply Quote 0
                        • F
                          FlexyZ
                          last edited by

                          Or should I use "Remote Access" when connection multiple sites - instead of a "peer-2-peer"?

                          Thanks

                          1 Reply Last reply Reply Quote 0
                          • jimpJ
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            @FlexyZ:

                            So what should the "Remote network" be on sita A?

                            You can leave that blank, or put in either site B or site C. You'll need a route for both sites in the custom options, and the Remote Network just does a route statement behind the scenes for you. If you fill in B, then you'll still need a custom route statement for C, and vice versa.

                            If you are doing a PKI (remote access) setup, you'll also need to make a CSC entry for the CN of both site B and C, with an iroute statement in its custom options.

                            That is probably the better way to handle setting up a multi-site "star" layout. peer-to-peer would be better for making individual tunnels between each site that only have one connection per tunnel.

                            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • F
                              FlexyZ
                              last edited by

                              Got it - will try both options :)

                              And thanks for a FAST reply :)

                              1 Reply Last reply Reply Quote 0
                              • F
                                FlexyZ
                                last edited by

                                One more thing "Inter-client communication" - would that allow site B and site C to talk to each other? - but routed through site A I guess?

                                1 Reply Last reply Reply Quote 0
                                • jimpJ
                                  jimp Rebel Alliance Developer Netgate
                                  last edited by

                                  Correct. With a PKI setup you need that option ticked so the B can reach C via A.

                                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                  Need help fast? Netgate Global Support!

                                  Do not Chat/PM for help!

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.