IPsec P2P with rules for non-connected networks?
-
I've successfully set up an IPsec tunnel between two pfSense boxes at different locations. If I set up the Phase 2 entries to allow the LAN subnets on both sides to talk, that works fine.
However, I'd like to set it up so two NON-connected IPs can pass through the VPN. Not Internet traffic, just two specific IPs, like this:
172.20.1.1(Router)192.168.1.1 - 192.168.1.10(pfSense)1.1.1.1 -(Internet)- 2.2.2.2(pfSense)192.168.2.10 - 192.168.2.1(Router)172.20.2.1
So, in that example above, I want to allow traffic between 172.20.1.1 and 172.20.2.1. However, if I create the Phase 2 entries, I never get the little connect icon in Status - IPsec, just the yellow status. In the IPsec logs I get Unknown Gateway/Dynamic errors.
I guess I'm not sure what to do - I know it's possible to allow more than just the LAN subnet traffic through (for instance, 0.0.0.0/0 for all traffic), so why not specific non-connected IPs? I do have routes on each pfSense box to reach those 172.20.x IPs that are behind routers on their respective LAN subnets.
So, any suggestions? If this has been answered elsewhere, I apologize. I did do some searching before I posted this.
Thanks!
-
Well, I seem to have made this work… I'm not entirely sure how, though. I deleted all the SPDs on both sides, recreated the Phase 2 rules, and then sent some ICMP traffic from one side to the other, and the tunnel was built. Even though I had no connect button on either pfSense box, it still came up when traffic appeared.
So, lesson learned!