Routing Problem with IPSec Tunnels (3 different Sites)
-
Hi all!
I'm having a routing problem over an ipSec tunnel, so I will explain my setup and hope that someone could help me ok!I have the following setup:
Site A <–-----IPSEC------> Site B <------IPSEC------> Site C
192.168.200.0/24 10.10.0.0/24 10.20.0.0/24The tunnels between SiteA and SiteB are working fine.
The tunnels between SiteB and SiteC are working fine too.On all IPSec interfaces I have only one rule passing all the traffic.
My problem is when a client form SiteC try to reach some client on SiteA or vice-versa.
I don't know how to route it correctly. I've tried to setup a GRE tunnel (but I've never have used it before) so I'm really in trouble.
Does anyone have any tip or solution for this?? Thanks!
-
If you're doing IPsec tunnel mode, you don't want GRE. Either setup a tunnel direct from A to C, or if you want to route from A to B to C and vice versa, you'll need additional phase 2 entries matching those subnets for each. On site C, local 10.20.0.0/24, remote 192.168.200.0/24, on site B, local 10.20.0.0/24, remote 192.168.200.0/24, on site A local 192.168.200.0/24 remote 10.20.0.0/24.
-
Hi cmb thanks for you help, but unfortunately the setup that you told me didn't work.
The phase 2 tunnels between Site B and Site C with that scheme os local and remote lans didn't start the tunnel. But If I put on site B local 192.168.200.0 and remote 10.20.0.0 it starts but I didn't have any traffic!
For example, if I try to reach a device on site A from site C it match the pfSense gateway on drive C and them it stop answering!
Thanks!
-
it works, just have to make sure you have the appropriate matching P2s everywhere, and that your IPsec rules permit that traffic to be routed.
-
I've tried but I can't turn it on on the sites because site A is a datacenter in USA and they use a Cisco ASA Firewall
-
you can do the same thing with an ASA, just requires an additional line in the ACL that the VPN matches.
-
I'm trying the exact same thing with pfSense 2. I have working tunnels between SiteA and SiteB, then SiteB and SiteC so I added a 2nd phase2 to SiteC with the remote network between 1.2.3.4. Then at SiteB in the IPSEC logs I see the following indicating that the 2nd phase2 is failing (right?). What's going on?
Where SiteA is 1.2.3.4, SiteB is 2.3.4.5, and SiteC is 3.4.5.6
racoon: [SiteC]: [3.4.5.6] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
racoon: [SiteC]: INFO: respond new phase 2 negotiation: 2.3.4.5[500]<=>3.4.5.6[500]
racoon: ERROR: failed to get sainfo.
racoon: ERROR: failed to get sainfo. -
Without seeing your exact config it's hard to speculate. Generally speaking, that error means your Phase 2 definitions do not line up.
For that kind of setup, you end up with something like:
IPsec A<->B
192.168.200.0/24 <-> 10.10.0.0/24
192.168.200.0/24 <-> 10.20.0.0/24IPsec B<->C
10.10.0.0/24 <-> 10.20.0.0/24
192.168.200.0/24 <-> 10.20.0.0/24