IPSEC - Need help with, How to force all traffic through VPN, No Split-Tunneling



  • I've been searching the forums and the web for days…

    Could someone please provide guidance on how to force all traffic (no split-tunneling) from remote sites through IPSEC VPNs back to our corporate "HUB Site". All remote subnets will terminate their VPN connection at Public IP A2 (HUB Site) and back out through Public IP A1 (HUB Site) to the rest of the Internet.

    1. I'm not ready to deploy a proxy server
    2. I think I need to add static routes at each remote site (something like 0.0.0.0/0 pointing to ?) but really not sure.

    Running: 1.2.3-RELEASE nanobsd at every location
    Topology: HUB and Spoke

    Site A - Corporate "HUB Site" - Internet Gateway
    WAN: Public IP A1 - Internet Gateway
    WAN: Public IP A2 - VPN Concentrator
    LAN Subnet: 192.168.1.0/24
       LAN IP for A1: 192.168.1.1
       LAN IP for A2: 192.168.1.2

    Site B - Remote "Spoke Site"
    WAN: Public IP B
    LAN Subnet: 10.1.0.0/16
       LAN IP: 10.1.0.1
    VLAN10: 10.1.10.0/24
       VLAN10 IP: 10.1.10.1
    VLAN20: 10.1.20.0/24
       VLAN20 IP: 10.1.20.1
    VLAN30: 10.1.30.0/24
       VLAN30 IP: 10.1.30.1
    VLAN40: 10.1.40.0/24
       VLAN40 IP: 10.1.40.1

    Site C - Remote "Spoke Site"
    WAN: Public IP C
    LAN Subnet: 10.2.0.0/16
       LAN IP: 10.2.0.1
    VLAN10: 10.2.10.0/24
       VLAN10 IP: 10.2.10.1
    VLAN20: 10.2.20.0/24
       VLAN20 IP: 10.2.20.1
    VLAN30: 10.2.30.0/24
       VLAN30 IP: 10.2.30.1
    VLAN40: 10.2.40.0/24
       VLAN40 IP: 10.2.40.1

    Thanks!
    Skoaler



  • Chris,

    Thank you for all your support over the past few days!

    If anyone is thinking about purchasing a support subscription from BSD Perimeter, go for it. We've received outstanding support and guidance over the past few days which helped us reach our goal of two test sites, up and running, by the end of the week. We've been running solid for nearly three days now.

    We're looking forward to rolling out more pfSense (ALIX2D3) firewalls if our initial testing continues to go well.

    Thanks again!
    -Skoaler



  • Was there a solution to this?  I am looking to do the same type of thing.

    Thanks.



  • Spliff16,

    Yes, there is a solution. You should reach out to Chris via BSD Perimeter for guidance. He'll get you setup in no time and the price is more than reasonable for the five hour block / support subscription.

    Make sure you map out your environment before reaching out to him to maximize his time.

    Good luck!
    ~Skoaler



  • So ~Skoaler,

    Judging from your last reply you are not willing to share your solution with the rest of the forum.  Does this also mean you will be getting all your support from a paid service from now on and we won't see any more support questions from you on the forum?

    Roy…



  • Roy,

    Please don't take offense with my statement but to be perfectly honest with you the solution Chris came up with is relatively complex and should be solved through a paid subscription.

    I am willing to share solutions with everyone but I'm hesitant to share this particular one as this is how Chris and the folks at BSD make their living. I too am an IT Guy and providing support is how I make my living. If the experts always gave everything away we wouldn't be able to put food on the table now would we.

    My post to Spliff16 was meant as an endorsement for pfSense and the commercial support I received and that the solution we were looking for could be accomplished using pfSense.

    Thanks!
    ~Skoaler



  • ~Skoaler,

    I also make my living as an IT/Network Consultant but I choose to freely share my knowledge (as time permits) with members of any forum I join.  Not doing so, in my opinion, would make me a parasite.  Also, the majority of my IT knowledge I owe to other IT folks freely sharing their knowledge so I feel I have an obligation to give back whenever possible.  Thankfully, most folks on this and other forums don't see it the same way as you.

    As Bill O'Reilly likes to say – "It's Time to Wise Up"

    Roy...



  • To use IPsec without split tunneling, you just use remote subnet 0.0.0.0/0 with local subnet of the LAN subnet at the remote end, and local subnet 0.0.0.0/0 with remote subnet of the remote end's LAN on the main end. That describes the entire solution to the initial question.

    What we we spent far more time on is discussing the network in general and designing an appropriate solution to fit the company's needs, which he can't detail here nor can I. That's always specific to each individual environment, and this company is in a regulated sector where disclosure of this type is against his company's policy to comply with regulations.



  • Thanks Chris!  I'm sure that will be useful information for lots of IPsec users.

    Roy…



  • Thanks to for the quick tips for this solution, but I feel like I'm missing something simple as I'm not having any luck getting my packets out of the main site and out to the Internet from any client at the remote site.

    Mine is a very simple configuration.  I have 2 sites linked via an IPsec tunnel.  Dallas is my Main HQ and Austin is my remote office.  I want all traffic from Austin to route thru the tunnel up to Dallas, then out to the Internet.

    Dallas (Main) Lan Net is: 10.10.200.0/24
    Austin (Remote) LAN Net is: 10.20.2.0/24

    The Dallas (Main) site has a VPN config of:
    Local Net: 0.0.0.0/0
    Remote Net: 10.20.2.0/24

    The Austin (Remote) site has a VPN config of:
    10.20.2.0/24
    Remote Net: 0.0.0.0/0

    The tunnel gets established just fine.  From the Austin LAN clients, I can ping the router at the main site (10.10.200.1).  This is how I know the tunnel is created, but I cannot ping anything beyond the router from the Austin LAN, e.g. 8.8.8.8.

    I'm sure it's something simple I failed to configure.  Anyone have any pointers or hints?



  • I just created a thread without seeing this one.  I had only seen an OpenVPN thread with the same question, but the syntax would be different there anyway.

    Mods:  Sorry about that.  Please merge if needed.
    http://forum.pfsense.org/index.php/topic,24335.0.html



  • Thanks to Jimp from the other thread, I was able to see why it was not working.  To fix, I had to change the Outbound NAT on the main side to Manual.  Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0).  Basically, I just created a copy of the default rule and changed the Source network.

    Once I made this change, Voila!  Traffic from the remote side started heading out to the Internet.  Now all traffic flows thru the Main site.  It makes perfect sense why I needed to make this change, it just took a slap in the head from Jimp to point me in the right direction. :)


Log in to reply