Routing to remote tunnels
I have a site to site tunnel between my home pfSense 2 and my office Cisco ASA.
Home net: 192.168.168.0/24
Office net: 172.16.89.0/24
The office ASA has additional tunnels to our clients, however I can't reach them from home, despite the traffic being allowed on the ASA (per ASDM's packet tracer). i.e. I want to be able to SSH to a host on the 10.0.0.0/24 subnet.
However a traceroute from my desktop at home to a 10.0.0.0 address shows it hitting the pfSense and going out to my ISP.
I tried setting up a second gateway with the ASA's VPN IP address, and then adding a static route, but the route doesn't appear in the route table under diagnostics (and connectivity is not there). If I manually add at the command line a "route add -net 10.0.0.0/24 172.16.89.1" I get a "Network Unreachable", despite 172.16.89.1 being pingable (if I am at the command line and do a ping -S 192.168.168.2 172.16.89.1).
Suggestions? What am I missing / doing wrong?
Maybe you need another phase 2 entry for 10.0.0.0/24?
I'm not too positive though, I'm a newbie. Are you trying to do a hub and spoke type setup? I've had success doing this with three machines. Both outer end points have one connection to the hub, and each connection has a phase 2 entry for each network.
I did try adding another phase 2 entry, but no go (if this IS the way to do it, I can add the tunnels, but I was hoping assuming there'd be a simple enough way with ACLs to do a: home desktop > asa (via ipsec) > client host).
It is a hub and spoke… but essentially the end result is that spokes, as a rule, cannot talk to other spokes.
Except for our employees home spokes. Which can talk to all other spokes, through the hub (and have appropriate rules in place so that client spokes cannot use our spokes as a conduit to other client spokes).
You have to have multiple phase 2s on both sides (doesn't quite look the same way on the ASA, it's just additional lines in the ACL for the p2 there, but it's the same). You can't route over IPsec tunnel mode, on either the ASA or pfsense, or anything.