IPSec and VLANs



  • Hello.

    I'm using PFsense 2.0 and have successfully established IPSEC Site to Site tunnels including a VLan VOIP tunnel for site B.

    Now that the communication between Site A and Site B is established via IPSec. How can I now create a VLAN on Site b to isolate Site A VOIP VLan from Site B LAN?

    Wow..if you're confused after than one, believe me, we're in the same boat.

    I'll try again.

    Site A has a VLan for VOIP. I would like connect IP Phones at Site b via the VOIP vlan….BUT....I want to isolate the VOIP VLan at Site B on it's own VLan from the LAN at Site B.

    I can ping the VOIP VLan from Site B

    Am I making ANY sense?



  • ummm….
    as far as i'm aware you create vlans on you router and switches. your voip vlan will have it's own ip subnet which will have it's own ipsec tunnel.
    your normal traffic will have it's own ip subnet which will use another ipsec tunnel. so basically, 2 seperate tunnels.

    i could be wrong though as there may be another way.



  • This is true and that is what is currently going on. Both Networks have their own tunnel.

    But now, on Site B…how, or can I, create a vlan for the VOIP IPsec Tunnel coming from Site A?

    Do I now create a Vlan in PFsense at Site B and assign it to an interface? How to do that, in terms of getting the tunnel traffic over to the vlan interface on Site B?
    Am I on the right track, if I set up a vlan on site B and then initiate a ipsec tunnel from the VOIP vlan on site A to the VOIP vlan on site B? Does this sound about right?

    And what about DHCP assignments from Site A VOIP, will DHCP Relay work in this case across IPSec tunnels? Sip data traffic?
    thanks, Jits

    ummm….
    as far as i'm aware you create vlans on you router and switches. your voip vlan will have it's own ip subnet which will have it's own ipsec tunnel.
    your normal traffic will have it's own ip subnet which will use another ipsec tunnel. so basically, 2 seperate tunnels.

    i could be wrong though as there may be another way.



  • you have to have vlans at both sites:

    for example:

    Site A:
    vlan 100 - data = 192.168.100.0/24 using ipsec tunnel A
    vlan 101 - voice = 192.168.101.0/24 using ipsec tunnel B

    Site B
    vlan 102 - data = 192.168.102.0/24 using ipsec tunnel A
    vlan 103 - voice = 192.168.103.0/24 using ipsec tunnel B

    that's how i would approach it but as i say, i've not tried this. i'm not sure if the vlan headers would work via an ipsec.


Log in to reply