Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing Problem with IPSec Tunnels (3 different Sites)

    Scheduled Pinned Locked Moved IPsec
    8 Posts 4 Posters 6.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fneto
      last edited by

      Hi all!
      I'm having a routing problem over an ipSec tunnel, so I will explain my setup and hope that someone could help me ok!

      I have the following setup:

      Site A  <–-----IPSEC------> Site B <------IPSEC------> Site C
      192.168.200.0/24            10.10.0.0/24                10.20.0.0/24

      The tunnels between SiteA and SiteB are working fine.
      The tunnels between SiteB and SiteC are working fine too.

      On all IPSec interfaces I have only one rule passing all the traffic.

      My problem is  when a client form SiteC try to reach some client on SiteA or vice-versa.

      I don't know how to route it correctly. I've tried to setup a GRE tunnel (but I've never have used it before) so I'm really in trouble.

      Does anyone have any tip or solution for this?? Thanks!

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        If you're doing IPsec tunnel mode, you don't want GRE. Either setup a tunnel direct from A to C, or if you want to route from A to B to C and vice versa, you'll need additional phase 2 entries matching those subnets for each. On site C, local 10.20.0.0/24, remote 192.168.200.0/24, on site B, local 10.20.0.0/24, remote 192.168.200.0/24, on site A local 192.168.200.0/24 remote 10.20.0.0/24.

        1 Reply Last reply Reply Quote 0
        • F
          fneto
          last edited by

          Hi cmb thanks for you help, but unfortunately the setup that you told me didn't work.

          The phase 2 tunnels between Site B and Site C with that scheme os local and remote lans didn't start the tunnel. But If I put on site B local 192.168.200.0 and remote 10.20.0.0 it starts but I didn't have any traffic!

          For example, if I try to reach a device on site A from site C it match the pfSense gateway on drive C and them it stop answering!

          Thanks!

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            it works, just have to make sure you have the appropriate matching P2s everywhere, and that your IPsec rules permit that traffic to be routed.

            1 Reply Last reply Reply Quote 0
            • F
              fneto
              last edited by

              I've tried but I can't turn it on on the  sites because site A is a datacenter in USA and they use a Cisco ASA Firewall

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by

                you can do the same thing with an ASA, just requires an additional line in the ACL that the VPN matches.

                1 Reply Last reply Reply Quote 0
                • R
                  rainabba
                  last edited by

                  I'm trying the exact same thing with pfSense 2. I have working tunnels between SiteA and SiteB, then SiteB and SiteC so I added a 2nd phase2 to SiteC with the remote network between 1.2.3.4. Then at SiteB in the IPSEC logs I see the following indicating that the 2nd phase2 is failing (right?). What's going on?

                  Where SiteA is 1.2.3.4, SiteB is 2.3.4.5, and SiteC is 3.4.5.6

                  racoon: [SiteC]: [3.4.5.6] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
                  racoon: [SiteC]: INFO: respond new phase 2 negotiation: 2.3.4.5[500]<=>3.4.5.6[500]
                  racoon: ERROR: failed to get sainfo.
                  racoon: ERROR: failed to get sainfo.

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    Without seeing your exact config it's hard to speculate. Generally speaking, that error means your Phase 2 definitions do not line up.

                    For that kind of setup, you end up with something like:
                    IPsec A<->B
                    192.168.200.0/24 <-> 10.10.0.0/24
                    192.168.200.0/24 <-> 10.20.0.0/24

                    IPsec B<->C
                    10.10.0.0/24 <-> 10.20.0.0/24
                    192.168.200.0/24 <-> 10.20.0.0/24

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.