2 gateways , remote sites via IPsec vpn can't see devices on other gateway
-
Hopefully this is the right forum for this quesstion
Topology:
I have 6 remote sites, all connecting to 1 main office where all the servers are, via IPsec vpns. - works
Goal:
I am trying to get rid of my watchguard firewalls and transition to pfsense, one site at a time.
Problem :
I have established 1 new VPN from the main office to 1 remote site, with the new pfsesne unit on each end. Tunnel works perfect, except now at my main office I have two gateways, the old watchguard unit, and the new pfsesne unit.
The remote sites connected via pfsense can only see computers at the main office that have the pfsense as their gateway.
The remote sites connected via watchguard can only see computers at the main office that have the watchguard as their gateway.Details:
Both the watchguard and pfsense at the main office are using the same subnet, and the same internet connection. Watchguard is 10.1.1.254 , pfsense is 10.1.1.253
All network devices at the main office are currently pointed to the old watchguard for the gateway.
All remote sites have a different subnet , so the new pfsense on the remote end is 10.1.9.1
All the other remote sites with the watchguard units I am trying to replace are similar 10.1.5.1, 10.1.7.1 , 10.1.30.1When I configured the VPN tunnel in phase 2, I told it the local network is 10.1.1.1/24
I can change anything on either end, any idea how to make this transition work?
-
I actually just did the switch from watchguard to pfsense. From what your saying, I think your not looking at the basics of TCP routing. Without a gateway address nothing on the outside your network (remote subnets) knows how to find that computer/device/printer/whatever. Try doing a trace route command to see where your packets are actually going. I had no luck keeping a reliable tunnel up between watchguard equipment and PFsense for really smooth transition. So the easiest thing for me was a weekend cut over by driving to all sites and sticking in a PFsense box. This way all of your clients can keep the same gateway address and should function as if nothing is different. Take your time with pfsense, I have found with pfsense if somethings not working its usually a misconfiguration. I assure you its totally worth it in the end.
-
Thank you for responding,
"Without a gateway address nothing on the outside your network (remote subnets) knows how to find that computer/device/printer/whatever" - not sure I follow what your saying, every site has a gateway, my main site has 2, which is my problem. From the main site I have no issue going out, as I have created static routes. The problem is from outside the main office, coming in, the outside computers cannot see anything using a different gateway/router at the main office.
"So the easiest thing for me was a weekend cut over by driving to all sites and sticking in a pfsense box." - unfortunately all of my offsite locations are in different states . Although with out another solution that is what I will have to do, but it will be hard to coordinate as I do not have anyone technical on the other end…
"I had no luck keeping a reliable tunnel up between watchguard equipment and pfsense for really smooth transition" - I had the same issue, watchguard did not want to work with pfsesne at all, I could not even get it to establish a tunnel.
"I assure you its totally worth it in the end." - agreed, I have worked with pfsesne in the past, I am the new admin here, so unfortunately i inherited the watchguard handicap from my predecessor.
-
Yes it seems to be hard to get an answer out of anyone on this forum. Not sure why, but whatever Anyway that you can reconfigure devices and send them out for a coordinated change over? check these out http://store.netgate.com/ALIX2D2-Kit-Red-Unassembled-P1028C86.aspx very easy to install and configure