Multi-site IPSEC VPN Routing

garyhook · May 19, 2010, 4:32 PM

I have a multi-site client using a Watchguard 500e at their home office and multiple pfsense firewalls at the remote sites. Each remote site establishes a vpn tunnel to the main office. Configuration is basically as follows:

Main Office Sub-net - 10.0.0.0/24
Site 1 - 192.168.1.0/24
Site 2 - 172.16.0.0/24

VPN's a running just fine and hosts at each site can ping hosts within the main office sub-net. I.E. I can ping from 192.168.1.15 to 10.0.0.5 just fine. At the main office i can ping hosts on each of the remote sub-nets just fine.

However, i'm unable to ping a host from Site 1 to Site 2 through the vpn tunnel. I suspect I'm missing a route on the pfsense boxes and/or Watchguard box.

Any help would be appreciated!

Eugene · May 19, 2010, 6:35 PM

You'll have to create SIte1 - Site2 tunnel.
pfSense can't route traffic from one IPSec tunnel to another.

jimp · May 20, 2010, 1:36 PM

There are ways to make parallel tunnels to make something like this happen with such different subnets, but it would be easier to make tunnels from Site1-Site2.

Eugene · May 20, 2010, 2:39 PM

@jimp:

There are ways to make parallel tunnels to make something like this happen with such different subnets, but it would be easier to make tunnels from Site1-Site2.

Unless you want this pfSense to restrict traffic between these two sites ;)

overand · Jun 9, 2010, 8:47 PM

Just build that into the IPSec firewall rules on those two sites.

@Evgeny:

@jimp:

There are ways to make parallel tunnels to make something like this happen with such different subnets, but it would be easier to make tunnels from Site1-Site2.

Unless you want this pfSense to restrict traffic between these two sites ;)

eazydor · Jun 25, 2010, 4:28 AM

@overand:

Just build that into the IPSec firewall rules on those two sites.

@Evgeny:

@jimp:

There are ways to make parallel tunnels to make something like this happen with such different subnets, but it would be easier to make tunnels from Site1-Site2.

Unless you want this pfSense to restrict traffic between these two sites ;)

is it technically possible to route under multiple ipsec-tunnels?
or how could it be done? i.e. with parallel tunnels?

jimp · Jun 25, 2010, 12:25 PM

IPsec is not routed. You can't send arbitrary traffic over an IPsec tunnel like you can with OpenVPN. You'd have to setup multiple parallel tunnels, one for each subnet, or use 2.0 and define multiple phase 2 networks for each phase 1 definition.

spiritbreaker · Jun 28, 2010, 6:46 PM

Hi jimp,

is it the same for different betworks behind pfsense?

for example:

Main Office Pfsense 10.0.0.0/24 <–-IPSEC VPN ---> Pfsense Site 1 - 192.168.1.0/24 –- Site 1 Router B (NoNAT) - 172.16.1.0/24

Pfsense Site 1 has static route to Network 172.16.1.0/24.

How to reach subnet 172.16.0.0/24 from main office through tunnel , is it possible?

cya

EDIT:

Hi Jimp u already answered my Question.
http://forum.pfsense.org/index.php/topic,25492.0.html
Thx

eazydor · Jun 28, 2010, 7:42 PM

hit me hard if i'm wrong, but i think you should be able to route OpenVPN-Tunnels..

jimp · Jun 28, 2010, 9:42 PM

@eazydor:

hit me hard if i'm wrong, but i think you should be able to route OpenVPN-Tunnels..

Yes, you can. OpenVPN can be routed however you like. If you need to pass a bunch of random subnets over a VPN, it's definitely the way to go. Some people are stuck with IPsec if they connect to third-party vendor equipment though.

spiritbreaker · Jun 29, 2010, 4:00 PM

Hi,

@eazydor

i never tried OPENVPN for Site to Site. But i have to connect to Checkpoint FW, so its no option for me.

Cya

eazydor · Jun 29, 2010, 7:59 PM

i know, i know…

this is such a pile of rubbish, OpenVPN is so much more flexible than IPSec is more secure.. it's really like over-bruce himself said, IPSec is still the most secure way to secure IP, but still an disappointment in regards of implementation.. it's almost always that you would use openvpn but have to get along with ipsec cause of compatibility (Mobile Client's, your Case, etc..)

Sorry everyone for this ipsec-rant, but i had to get rid of this…
now, i feel so much better :)

spiritbreaker, did you set your additional tunnels up and are they working fine now?

jonnytabpni · Jul 15, 2010, 2:09 PM

Why do you say that IPSEC is more secure than OpenVPN?

Both can use similar encryption algorithms as well as Keys for authentication…

eazydor · Jul 15, 2010, 2:39 PM

i am not in the position to answer that exactly, but i believe people like niels ferguson or even bruce schneier, who analyzed the ipsec-protocol multiple times and found that ipsec was a great disappointment concerning the complexity.. but that IPSec would be the best way to secure IP.

I never said that openvpn would be secure since both provide a level of security which someone would expect from an vpn. openvpn has even the advantage being far more flexible (routing, etc..) than ipsec. but for site-to-site i.e. i use ipsec. that could be my personal affection, originated from everything i read i.e. these forums and of my imagination that ipsec has a more secure negotiation and is implemented that complex, that it could even become an advantage.

but again, i'm not an expert in terms of VPN's any type.

jonnytabpni · Jul 15, 2010, 3:17 PM

@eazydor:

i am not in the position to answer that exactly, but i believe people like niels ferguson or even bruce schneier, who analyzed the ipsec-protocol multiple times and found that ipsec was a great disappointment concerning the complexity.. but that IPSec would be the best way to secure IP.

I never said that openvpn would be secure since both provide a level of security which someone would expect from an vpn. openvpn has even the advantage being far more flexible (routing, etc..) than ipsec. but for site-to-site i.e. i use ipsec. that could be my personal affection, originated from everything i read i.e. these forums and of my imagination that ipsec has a more secure negotiation and is implemented that complex, that it could even become an advantage.

but again, i'm not an expert in terms of VPN's any type.

I agree with you that IPSEC is much more complex in setting up. I'm just concerned about how OpenVPN is "less secure", as I use it a lot! I'm guessing that IPSEC's added "security" is that by nature it will only pass a single subnet that the tunnel was set up for, while openvpn will pass anything. Given this, OpenVPN requires a greater level of "firewalling" when it comes to site to site VPNs with OpenVPN.

Don't think it matters too much with road warriors though..

Edit: OpenVPN can pass any arbitry subnet, however the ip addresses of the openvpn endpoints have to remain constant as set in the openvpn config and given out at connection time.

eazydor · Jul 15, 2010, 6:06 PM

no, personally i don't think you have to worry, it's just like saying i hang my stuff 30 feet high so no one could reach it (under normal circumstances, before someone tells me, yes, but if..) and then saying it would be more secure to hang it 35 feet high.

openvpn has no flaws like lets say pptp with it´s weak password hashing or poor encryption keys..

to me it would be fine if everybody (universities, big networking companies, OS-Providers, etc..) would do SSL-VPN's as their standards, but unfortunately they don't. i.e. of iPhones which don't support installing third party devices (tun, tap) you don't have much choice, or if you have to connecting to third-party-vendor-stuff…

it depends, on implementation (i heard, IPSec with NAT-T is too not an ace either), on technology being used, on the usecase, on so many things.. but i'm glad that pfsense does them all.