Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ipsec Multiple subnet problem between pfsense and vigor

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      talraveh
      last edited by

      Hello,

      I have tow site and I try to connect them.
      site A (main) have tow subnets and pfsense (2.0-RELEASE (i386) built on Tue Sep 13 17:28:43 EDT 2011 )
      site B have one subnet with Vigor 2910 and need access to all site A subnets

      site A                      site B

      192.168.48.0/24 10.100.100.0/24
      192.168.47.0/24

      I configure Ipsec tunnel with one phase 1 and tow phase 2:
      Ph 2-a -> local subnet 192.168.48.0/24      remote subnet 10.100.100.8
      Ph 2-b -> local subnet 192.168.47.0/24      remote subnet 10.100.100.8

      I have access between 10.100.100.0/24 and 192.168.48.0/24 but don't have access between 10.100.100.0/24 to 192.168.47.0/24 .
      when I check the ipsec status I see the pf think that all tunnel are ip.

      I have few more IPsec tunnel on this machine (single subnet) thats work fine.

      I need help.

      recoon.conf:

      $ cat /var/etc/racoon.conf

      This file is automatically generated. Do not edit

      path pre_shared_key "/var/etc/psk.txt";

      path certificate  "/var/etc";

      listen
      {
      adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
      isakmp x.x.x.x [500];
      isakmp_natt x.x.x.x [4500];
      }

      remote y.y.y.y
      {
      ph1id 1;
      exchange_mode main;
      my_identifier address x.x.x.x;
      peers_identifier address y.y.y.y;
      ike_frag on;
      generate_policy = off;
      initial_contact = on;
      nat_traversal = on;

      dpd_delay = 10;
      dpd_maxfail = 5;
      support_proxy on;
      proposal_check claim;

      proposal
      {
      authentication_method pre_shared_key;
      encryption_algorithm 3des;
      hash_algorithm sha1;
      dh_group 2;
      lifetime time 28800 secs;
      }
      }

      sainfo subnet 192.168.47.0/24 any subnet 10.100.100.0/24 any
      {
      remoteid 1;
      encryption_algorithm 3des;
      authentication_algorithm hmac_sha1,hmac_md5;

      lifetime time 3600 secs;
      compression_algorithm deflate;
      }

      sainfo subnet 192.168.48.0/24 any subnet 10.100.100.0/24 any
      {
      remoteid 1;
      encryption_algorithm 3des;
      authentication_algorithm hmac_sha1,hmac_md5;

      lifetime time 3600 secs;
      compression_algorithm deflate;
      }

      1 Reply Last reply Reply Quote 0
      • T
        talraveh
        last edited by

        I think it's regards to  remoteid that it's the same.

        Thank u all.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.