Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to VPN 'hop'

    Scheduled Pinned Locked Moved Routing and Multi WAN
    4 Posts 3 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kattoz
      last edited by

      hi,
      i have two datacenters and one office
      i want to connect the two datacenters VIA the office..
      the dc1 and office are handled by a lovely working ipsec on pfsense,
      the office to dc2 is openvpn.
      is there any trick to routing? or adding static routes?
      or forwarding traffic on the firewall in the office?
      cheers
      Kaz

      1 Reply Last reply Reply Quote 0
      • B
        billm
        last edited by

        At a minimum the tunnel from office -> dc1 will need to also have the dc2 network on it.

        –Bill

        pfSense core developer
        blog - http://www.ucsecurity.com/
        twitter - billmarquette

        1 Reply Last reply Reply Quote 0
        • K
          kattoz
          last edited by

          ok, worked out this much,
          openvpn is working
          ipsec is working, mostly
          i am not getting the 'ping' replies from the datacenter with the pfsense running ipsec.
          apparently ..

          As long as you have ipsec tunnels covering the source-destination
          combinations of IP addresses, it does not matter whether these packets
          come from local machines, or openvpn connected ones.
          http://lists.openswan.org/pipermail/users/2006-February/008488.html
          can some1 explain this to me in a little more detail? or a bit more clearer?
          be aware, im NOT a network engineer, and a bit of a n00b at all this, so just talk me through this slow pls :D
          and yes, i have no idea which forum to post this in..it covers a bit of everything and is stretching my knowledge of pfsense!

          dc1 192.168.1.1    /24 –LAN
            |
            |
            | ipsec
            |
            |
          office 192.168.2.1      /24 --LAN --im here :)
          | (openvpn 10.2.1.1)
          |
          | openvpn
          |
          | (openvpn 10.2.1.2)
          dc2 10.1.1.1

          hope this diagram explains it a tad better

          1 Reply Last reply Reply Quote 0
          • H
            hoba
            last edited by

            I only can give you some advice for the ipsec part of this setup:

            • Create two identifiers other than IP-Adress (like user full qualified domain name)
            • Switch the tunnel that you already have up between 192.168.1.0/24 and 192.168.2.0/24 to use one of the identifiers
            • create a second tunnel between the same public endpoints but with the following local and remote subnet tunneldefinition:
                192.168.1.0/24 at dc1 and 10.1.1.0/24 at office
                use the second identifier that you created for this tunnel

            Now you have 2 parallel tunnels between the same endpoints, one that covers the next hop network at dc2. At least the traffic from dc1 to dc2 will get to the office now. You possibly have to do something similiar at the dc2 site for the openvpn tunnel like pushing a route. However, as I don't use openvpn and don't have too much experience with it somebody else has to help you with that part.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.