Routing Problem with IPSec Tunnels (3 different Sites)

fneto

Hi all!
I'm having a routing problem over an ipSec tunnel, so I will explain my setup and hope that someone could help me ok!

I have the following setup:

Site A  <–-----IPSEC------> Site B <------IPSEC------> Site C
192.168.200.0/24            10.10.0.0/24                10.20.0.0/24

The tunnels between SiteA and SiteB are working fine.
The tunnels between SiteB and SiteC are working fine too.

On all IPSec interfaces I have only one rule passing all the traffic.

My problem is  when a client form SiteC try to reach some client on SiteA or vice-versa.

I don't know how to route it correctly. I've tried to setup a GRE tunnel (but I've never have used it before) so I'm really in trouble.

Does anyone have any tip or solution for this?? Thanks!

cmb

If you're doing IPsec tunnel mode, you don't want GRE. Either setup a tunnel direct from A to C, or if you want to route from A to B to C and vice versa, you'll need additional phase 2 entries matching those subnets for each. On site C, local 10.20.0.0/24, remote 192.168.200.0/24, on site B, local 10.20.0.0/24, remote 192.168.200.0/24, on site A local 192.168.200.0/24 remote 10.20.0.0/24.

fneto

Hi cmb thanks for you help, but unfortunately the setup that you told me didn't work.

The phase 2 tunnels between Site B and Site C with that scheme os local and remote lans didn't start the tunnel. But If I put on site B local 192.168.200.0 and remote 10.20.0.0 it starts but I didn't have any traffic!

For example, if I try to reach a device on site A from site C it match the pfSense gateway on drive C and them it stop answering!

Thanks!

cmb

it works, just have to make sure you have the appropriate matching P2s everywhere, and that your IPsec rules permit that traffic to be routed.

fneto

I've tried but I can't turn it on on the  sites because site A is a datacenter in USA and they use a Cisco ASA Firewall

cmb

you can do the same thing with an ASA, just requires an additional line in the ACL that the VPN matches.

rainabba

I'm trying the exact same thing with pfSense 2. I have working tunnels between SiteA and SiteB, then SiteB and SiteC so I added a 2nd phase2 to SiteC with the remote network between 1.2.3.4. Then at SiteB in the IPSEC logs I see the following indicating that the 2nd phase2 is failing (right?). What's going on?

Where SiteA is 1.2.3.4, SiteB is 2.3.4.5, and SiteC is 3.4.5.6

racoon: [SiteC]: [3.4.5.6] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
racoon: [SiteC]: INFO: respond new phase 2 negotiation: 2.3.4.5[500]<=>3.4.5.6[500]
racoon: ERROR: failed to get sainfo.
racoon: ERROR: failed to get sainfo.

jimp

Without seeing your exact config it's hard to speculate. Generally speaking, that error means your Phase 2 definitions do not line up.

For that kind of setup, you end up with something like:
IPsec A<->B
192.168.200.0/24 <-> 10.10.0.0/24
192.168.200.0/24 <-> 10.20.0.0/24

IPsec B<->C
10.10.0.0/24 <-> 10.20.0.0/24
192.168.200.0/24 <-> 10.20.0.0/24