Routing through VPN tunnel
-
Not sure if this is the right place or if it belongs in the VPN sub-forum….
Have a setup that consists of several pfSense boxes that all connect to a couple of centrally placed pfSense boxes. Routing between branches and main site works like it should, but I would like to be able to route traffic from a couple of the branches to all the other branches. Since I don't want to add tunnels between all branches I want it to go through the main site.
Looking at the options I have in System>Routing I don't see any way of achieving this. Adding a route on the "Routes" tab, I need to specify a gateway, but when adding a gateway on the "Gateways" tab I cannot specify VPN as the interface where the traffic goes. Only LAN and WAN is available and since the subnet is not available on either of these interfaces I cannot add it (which of course makes sense).
So, any suggestions on how to get this working?
Regards,
Anders -
what type of VPN?
-
IPsec…
-
Then you just add additional phase 2 entries matching the appropriate local and remote subnets on every IPsec connection. An additional one at each branch for each other branch, and the same at the main end.
-
@cmb:
Then you just add additional phase 2 entries matching the appropriate local and remote subnets on every IPsec connection. An additional one at each branch for each other branch, and the same at the main end.
Just to be sure, i'm listing your suggestion here as I perceive it:
Main site: 192.168.1.0/24
Branch A: 192.168.2.0/24
Branch B: 192.168.3.0/24
Branch C: 192.168.4.0/24So I would just add additional Phase 2 entries on the tunnel between branch A and Main site, that contains the IP addresses of branch B and C?
Wouldn't that cause routing problems at the main site as it now has 2 route entries for branch B and C?
Regards,
Anders -
Then branch A would have 3 phase 2 entries:
Remote 192.168.1.0/24
Remote 192.168.3.0/24
Remote 192.168.4.0/24all with local 192.168.2.0/24. Duplicate the same (changing subnets accordingly) at the other locations.
Or just make the first P2 have a 192.168.0.0/16 everywhere and you can do it with a single P2.
Wouldn't that cause routing problems at the main site as it now has 2 route entries for branch B and C?
No, it still has just one entry to that remote network. The others are local on that end, remote to the branch ends.
-
@cmb:
Then you just add additional phase 2 entries matching the appropriate local and remote subnets on every IPsec connection. An additional one at each branch for each other branch, and the same at the main end.
Just to be sure, i'm listing your suggestion here as I perceive it:
Main site: 192.168.1.0/24
Branch A: 192.168.2.0/24
Branch B: 192.168.3.0/24
Branch C: 192.168.4.0/24So I would just add additional Phase 2 entries on the tunnel between branch A and Main site, that contains the IP addresses of branch B and C?
Wouldn't that cause routing problems at the main site as it now has 2 route entries for branch B and C?
Regards,
AndersDid you get this working? A couple others (myself included) are trying the same and having various problems. I can't get the additional Phase2 to come up. I posted at http://forum.pfsense.org/index.php/topic,48952.0.html.
-
Sorry for the delayed answer, need to remember to enable notify on threds I participate in…
But no, unfortunately I didn't get this to work but haven't spend much time on it either...