How to VPN 'hop'



  • hi,
    i have two datacenters and one office
    i want to connect the two datacenters VIA the office..
    the dc1 and office are handled by a lovely working ipsec on pfsense,
    the office to dc2 is openvpn.
    is there any trick to routing? or adding static routes?
    or forwarding traffic on the firewall in the office?
    cheers
    Kaz



  • At a minimum the tunnel from office -> dc1 will need to also have the dc2 network on it.

    –Bill



  • ok, worked out this much,
    openvpn is working
    ipsec is working, mostly
    i am not getting the 'ping' replies from the datacenter with the pfsense running ipsec.
    apparently ..

    As long as you have ipsec tunnels covering the source-destination
    combinations of IP addresses, it does not matter whether these packets
    come from local machines, or openvpn connected ones.
    http://lists.openswan.org/pipermail/users/2006-February/008488.html
    can some1 explain this to me in a little more detail? or a bit more clearer?
    be aware, im NOT a network engineer, and a bit of a n00b at all this, so just talk me through this slow pls :D
    and yes, i have no idea which forum to post this in..it covers a bit of everything and is stretching my knowledge of pfsense!

    dc1 192.168.1.1    /24 –LAN
      |
      |
      | ipsec
      |
      |
    office 192.168.2.1      /24 --LAN --im here :)
    | (openvpn 10.2.1.1)
    |
    | openvpn
    |
    | (openvpn 10.2.1.2)
    dc2 10.1.1.1

    hope this diagram explains it a tad better



  • I only can give you some advice for the ipsec part of this setup:

    • Create two identifiers other than IP-Adress (like user full qualified domain name)
    • Switch the tunnel that you already have up between 192.168.1.0/24 and 192.168.2.0/24 to use one of the identifiers
    • create a second tunnel between the same public endpoints but with the following local and remote subnet tunneldefinition:
        192.168.1.0/24 at dc1 and 10.1.1.0/24 at office
        use the second identifier that you created for this tunnel

    Now you have 2 parallel tunnels between the same endpoints, one that covers the next hop network at dc2. At least the traffic from dc1 to dc2 will get to the office now. You possibly have to do something similiar at the dc2 site for the openvpn tunnel like pushing a route. However, as I don't use openvpn and don't have too much experience with it somebody else has to help you with that part.


Locked