Static Route to adress a specific Gateway in the remote network?



  • Hello,

    i have a working site to site IPSEC vpn. I'll call them siteA and siteB. Both sides uses a pfsense.

    At siteB, i have a specific gateway (call it RGW)for certain ip-adresses to connect to another remote network.
    I setup a static route on the pfsense a siteB to point to this RGW, so any host on siteB can access it, because they use the pfsense as the default gateway.

    Now i want hosts at siteA also give access to the RGW at siteB.
    I setup a static route on the pfsense at siteA to point to the RGW at siteB.

    To be more concret:
    siteA: 192.168.1.0/24
    siteB: 192.168.2.0/24
    RGW: 192.168.2.2 (router to access 10.0.0.24)
    Static Route Entry on pfsense (tried LAN and WAN as interface)
    10.0.0.24/32 Gateway: 192.168.2.2

    The problem:
    Using a traceroute to 10.0.0.24 on a host at siteA always returns: router (which is pfsense) returned: target not reachable ….
    However, from that host, i can still ping 192.168.2.2

    Doing the same on a host at siteB works fine.

    I assume that for some reasons, the static route entry has "connection" to the IPSEC VPN tunnel.

    Any ideas?

    Wolfgang



  • The tunneldefinition determines what traffic goes through. Static routes won't work for IPSEC. As you can't sum up the remote subnets to one larger subnet you need parallel tunnels. For parallel tunnels to work you have to use unique identifiers for both tunnels (add them at vpn>ipsec, presharde keys tab) instead of using my IP-Adress. Otherwise the ipsectraffic gets messed up as both tunnels run between the same endpoints.

    Then create additional to the tunnel that you already have (after you changed it to use a unique identifier):

    siteA subnet 192.168.1.0/24  to  siteB 10.0.0.24/32

    You have to use this definition at both ends, so the local subnet at siteB is 10.0.0.24/32 and not LANsubnet in the IPSEC Tunneldefinition. Then just add the static route at siteB to 10.0.0.24/32.

    Don't forget to remove the the static route to 10.0.0.24/32 at siteA.



  • Thank you.
    If i understand correctly, that means in turn that i have to setup a tunnel for each host that should be reachable via the gateway, it that host does not fit into a network that can be assigned for an existing IPSEC tunnel.

    Mhh that will make things quite complex, because the hosts that should be reachable via that gateway, do not follow a pattern in terms of ipadresses, and it is beyond my reach to change them.

    As a workaround, would it be possible, to route any traffic from siteA to siteB using a subnet like 0.0.0.0/0 in the IPSEC Tunnel definition, and maintain a static route table only on siteB?
    If this is possible, how would the default route be handled? (default route vs. IPSEC subnet 0.0.0.0./0)



  • @hoba:


    For parallel tunnels to work you have to use unique identifiers for both tunnels (add them at vpn>ipsec, presharde keys tab) instead of using my IP-Adress.
    ...

    Why do i need to setup the identifiers there? Why would it not be sufficant to setup the identifiers in the vpn tunnel definition: Phase 1 proposal (Authentication)/My identifier (where i can select my ipadress/fqdn/domainname etc).

    So what is the difference?
    and
    What to select in the "vpn tunnel definition/My identifier " , when setting up an unique identifier.



  • Wouldn't it be bad if you just setup identifiers that te other end doesn't know of and access is always granted?  ;)

    Have a look at http://pfsense.com/mirror.php?section=tutorials/mobile_ipsec/ how to use identifiers. It's not your exact scenario but you just have to do some abstraction and make both ends use identifiers like shown in this tutorial for each of the parallel tunnels.



  • Thanks. I look into the this.

    Would do you think about the scenarion using 0.0.0.0 as a vpn subnet as described above?



  • This means that all traffic to the internet would be routed to the other location and exit to the internet there too. Something that you probably don't want as you then load the other location with additional up and downstream of the remote location.



  • I need to come back to this again.
    For some reasons it fails. It seems there are two issues:

    No matter what i do, i get this error (even with one tunnel, however it works)
    1.) racoon: WARNING: No ID match.

    I did the following:
    SiteA:

    Tunnel Configuration:
    Negotiation Mode: "agressive" (to allow seperate Identifiers for the seperate IPSec Tunnels)
    Authentication type: "Pre-Shared Key" : key1
    My Identifier: "Domain name" : SiteAvalue

    Keys/Pre-Shared Keys:
    Identifier: SiteBvalue
    Pre-Shared Key: key1

    SiteB:

    Tunnel Configuration:
    Negotiation Mode: "agressive" (to allow seperate Identifiers for the seperate IPSec Tunnels)
    Authentication type: "Pre-Shared Key" : key1
    My Identifier: "Domain name" : SiteBvalue

    Keys/Pre-Shared Keys:
    Identifier: SiteAvalue
    Pre-Shared Key: key1

    The idea:
    -SiteA passes the Identifer to SiteB.
    -SiteB looks up the identifer in Keys/Pre-Shared Keys and uses is. (so it uses the idetifer as an index to get the pre-shared key)
    What i do not understand:
    Why would i have to provide the pre-shared-key in the Tunnel definition, if both sites can lookup the key in "Keys/Pre-Shared Keys"?

    2.) Even when using only one tunnel using the configuration to get access to the remote host via the gateway like described above

    siteA subnet 192.168.1.0/24  to  siteB 10.0.0.24/32

    no tunnel gets established.
    It seems, that siteB does not like to terminate a VPN IPsec tunnel, if the network does not match the network configured for the lan.
    (Note: the static route entry to the GW exists on siteB)

    The pfsense versions are both the same: 
    Version:1.0.1 built on Sun Oct 29 01:07:16 UTC 2006

    Any ideas are welcome

    Regards

    Wolfgang



  • try upgrading to a newer version of pfsense
    sins 29 oct there is changed and fixed a lot



  • The current version is the one mentioned as can be seen here:
    http://pfsense.blogspot.com/2006/10/101-released.html

    Or do you mean the head version?




Log in to reply