IPsec P2P with rules for non-connected networks?



  • I've successfully set up an IPsec tunnel between two pfSense boxes at different locations.  If I set up the Phase 2 entries to allow the LAN subnets on both sides to talk, that works fine.

    However, I'd like to set it up so two NON-connected IPs can pass through the VPN.  Not Internet traffic, just two specific IPs, like this:

    172.20.1.1(Router)192.168.1.1 - 192.168.1.10(pfSense)1.1.1.1 -(Internet)- 2.2.2.2(pfSense)192.168.2.10 - 192.168.2.1(Router)172.20.2.1

    So, in that example above, I want to allow traffic between 172.20.1.1 and 172.20.2.1.  However, if I create the Phase 2 entries, I never get the little connect icon in Status - IPsec, just the yellow status.  In the IPsec logs I get Unknown Gateway/Dynamic errors.

    I guess I'm not sure what to do - I know it's possible to allow more than just the LAN subnet traffic through (for instance, 0.0.0.0/0 for all traffic), so why not specific non-connected IPs?  I do have routes on each pfSense box to reach those 172.20.x IPs that are behind routers on their respective LAN subnets.

    So, any suggestions?  If this has been answered elsewhere, I apologize.  I did do some searching before I posted this.

    Thanks!



  • Well, I seem to have made this work… I'm not entirely sure how, though.  I deleted all the SPDs on both sides, recreated the Phase 2 rules, and then sent some ICMP traffic from one side to the other, and the tunnel was built.  Even though I had no connect button on either pfSense box, it still came up when traffic appeared.

    So, lesson learned!


Log in to reply