Redirect traffic for a specific network out an ipsec tunnel



  • Hello

    I have a main router at branch a with the lan ip 192.168.0.1 Each branch has an openvpn tunnel to it, branch b is 10.10.2.x and 10.10.3.x

    We are using an online backup server that requires an ipsec tunnel to the provider. We want all branchs to backup through headquarters that is then supposed to send it across the ipsec tunnel to the provider. I have the tunnel up at HQ and it can reach their equipment. However the branches cannot ping the backup peoples equipment. They are cisco familiar and could not tell me in normal terms what I need. Basically I need to take any traffic destined for xxx.xx.xx. and send it over ipsec at HQ to the provider.

    The second part I would like to know is how to limit what can go across that tunnel. The backup people said they will never need to get to us, just our equipment goes to them so they are just replying. However in my firewall rules on the ipsec tab. I am permitting all. How can I tighten that down? Do I simply delete the rule as we are just sending and NAT should handle it?


  • Rebel Alliance Developer Netgate

    You can't really do what you want with IPsec on 1.2.3 easily. What you need is to either have parallel IPsec tunnels: one with a local network of 192.168.0.0/24, the other with 10.10.2.0/23 (or 10.10.2.0/24 and 10.10.3.0/24)

    In 2.0 you can define multiple phase 2 networks per IPsec tunnel so that would be preferable. The remote router also has to be configured to allow access from those two (or three) subnets.

    In OpenVPN on each branch's config you need a line "route x.x.x.x 255.255.255.0;" where x.x.x.x is the provider's remote IPsec subnet.

    If you only need outbound IPsec connections, you do not need any rules on the IPsec tab. That only gets matched for incoming traffic over the tunnel from the remote end.



  • First Off, your any any default rule will allow all traffic to pass both ways and allow any client from either side to travel down the tunnel when they request it. You want to remove the allow all rule. Under The Rules section in the IPsec tab, you can deny and allow access how ever you want with your tunnel or tunnels. You need to focus primarly on your source and destination fields within the IPsec rules. Here you can specific a subnet or a single IP for source or destination.

    So for example: I only want 1 system on my network to be able to travel across the tunnel to a remote network. Your rule would look like this

    Proto         Source                   Port   Destination   Port   Gateway   Schedule   Description

    • 192.168.1.10               *   10.2.2.20          *           *                                                  Test Tunnel Rule 1

    The example up above will only allow this very thing to happen across the tunnel. Only 1 system from the LAN network will be able to access through the tunnel coming from any port and going to any port to only 1 specific system to the remote backup network. This is what you want, because nothing else can come back through your tunnel and access other systems on your network with out any addtional rule that allows it. In order to make the remote system at 10.2.2.20 to come back through the tunnel and talk with system 192.168.1.10, you would have to create another rule that looks like the following below.

    Proto         Source            Port   Destination   Port   Gateway   Schedule   Description

    • 10.2.2.20               *      192.168.1.10          *           *                                                Test Tunnel Rule 2

Log in to reply