Routing between 1 IPSEC vpn and another



  • I understand from the changelog that multiple stage2s are supported for a single stage1 now.

    I have a site to site vpn up between 192.168.3.0/24 and 192.168.9.0/24.

    I have a roadwarrior vpn working with clients having 192.168.4.0/24 addresses.

    I want to route between 192.168.4.0/24 clients and the 192.168.9.0/24 network.

    when pinging 192.168.9.2 from a 192.168.4.213 i can see the packets with tcpdump -i enc0 host 192.168.4.213 .10:37:37.076219 (authentic,confidential): SPI 0x05878eb3: IP 192.168.4.213 > 192.168.9.2: ICMP echo request, id 4894, seq 6, length 64

    but i never see any replies.
    192.168.9.2  can ping 192.168.3.2 and vice versa, but the firewall cannot ping the any remote networks directly.  Is this expected to work?



  • Does your 192.168.9.0/24 network know about how to reach 192.168.4.0/24 ? Do you have a p2 for that?

    By default the firewall itself can't directly access any ipsec remote network, but routing does work from the lan side.



  • mxx:

    thanks for your reply…

    yes i have 2 p2s on the 192.168.9.0 firewall (also pfsense 2.0rc1)
    one for 192.168.3.0/24 and one for 192.168.4.0/24

    however, the 4.0/24 is listed with a yellow check box in the ipsec status page, while the first (3.0/24) is green.
    I don't understand how one can fail and the other succeed.



  • Hi since noone else with more knowledge replied:

    Sorry for the dumb question but do both endpoints have this second p2?
    Is the Roadwarrior VPN also ipsec?
    If yes and it doesn't work, try adding a gateway (pfsense's lan ip) and add routes for those ipsec networks through the lan ip. That way it should be possible for the firewall to reach the other endpoint directly…


Log in to reply