Routing over IPSec

prkon

Hello,

since a week we have to route a network over an IPSec-tunnel
and it seems so, that we are not able to do so.

Our configuration:

Network1 172.20.10.x/24 with PFSense location 1:
1 foreign router on 172.20.10.240
1 static route: 10.18.10.138/32 over 172.20.10.240

Network2 172.20.20.x/24 with PFSense location 2:
1 static route: 10.18.10.138/32 over 172.20.10.240

location 1 and location 2 are linked with an IPSec-tunnel.

both networks have correct connections net1 <-> net2.
from network1 we have access to 10.18.138/32.
from network2 we can ping the foreign router on 172.20.10.240.

Now we must have access to 10.18.10.138/32 from network2 over IPSec
and over the foreign router in network1.

layout:

http://www.gliffy.com/pubdoc/1257444/L.jpg

Can you help us?

Sylhouette

What you need to do is create a second ipsec tunnel for the 10.18.10.x network
PFsense and monowall for that matter do not know about the static routes over a ipsec tunnel.
I do not know how to explain it !!!
All i know is that for each network on the other side you will need to create a tunnel.

usuarioforum

Or sumarice networks.

Andreas

Hello,

it happens that we got the exactly same problem as the topic starter described so nicely. When I try to add a second VPN Tunnel to include the adresses of the routed network something weird happens: Both tunnels will stay down, regardless what I do. When I delete any one of the two tunnels the remaining one will start to function again.

So what I have is this: I can either connect to adresses at the remote locations network or connect to adresses reachable through the router. But unfortunately not at the same time.

Does anyone of you have any Idea on this matter?

Thanks a lot,
Andreas

Sylhouette

I think you got the same problem i had.

network1 (192.168.0.0/24)
network2 (192.168.1.0/24)
network3 (192.168.2.0/24)

network 1 has a default gateway 192.168.0.254 –-> to ISP public ip adres is 123.123.123.1
network 2 has a default gateway 192.168.1.254 ---> to ISP public ip adres is 244.244.244.244
network 3 is connected through a router in network 1 192.168.0.253 and has a default gateway 192.168.2.254


         |-----192.168.0.254-LAN-pfsense-WAN-123.123.123.1 ------->Internet<-------244.244.244.244-WAN-pfsense-LAN-192.168.1.254---|clients
clients  |
         |-----192.168.0.253----CISCO----192.168.2.254----|clients

So for Tunnel 1 on pfsense in Network 1


Interface             WAN
Local Subnet        Type Network
                     192.168.0.0 /24
Remote Subnet     192.168.1.0 /24
Remote Gateway    244.244.244.244

So for Tunnel 1 on pfsense in Network 2


Interface             WAN
Local Subnet        Type Network
                     192.168.1.0 /24
Remote Subnet     192.168.0.0 /24
Remote Gateway    123.123.123.1

This would bring tunnel 1 up

Now you can not say on pfsense in network2 that if you need to go to network 3 go to 192.168.0.253.
Pfsence itself does not know nothing about the 192.168.0.0 network.

So you will need to create a second tunnel.

So for Tunnel 2 on pfsense in Network 1


Interface             WAN
Local Subnet        Type Network
                     192.168.3.0 /24
Remote Subnet     192.168.1.0 /24
Remote Gateway    244.244.244.244

o for Tunnel 2 on pfsense in Network 2


Interface             WAN
Local Subnet        Type Network
                     192.168.1.0 /24
Remote Subnet     192.168.3.0 /24
Remote Gateway    123.123.123.1

This should do the trick
I have this config under Monowall so maybe with pfsense it will not work but i reallly think it should work.

Hope this helps (sorry if the example looks a bit unclear)

Andreas

Hi Sylhouette,

thanks for taking the time to post your example!

The setup you describe is exactly what the thread starter and I try to accomplish. Unfortunately the second or parallel tunnel won't work - it takes down the whole IPsec feature of the pfsense. When I add a tunnel for a network which no other tunnel was defined for dual tunnels work nonetheless.

Example:

Net A
LAN 172.20.20.x/24 WAN 10.0.0.1 Router 172.20.20.253 -> 192.168.250.x
Net B
LAN 192.168.10.x/24 WAN 10.0.0.2

Net B should have a VPN Tunnel to Net A and have access to the 53.100.x.x network. So what I basically did is exactly what you described in you posting.

My tunnels on Net A look like this:
192.168.250.0/24
192.168.10.0/24 WAN 10.0.0.2

172.20.20.0/24
192.168.10.0/24 WAN 10.0.0.2
In this setup no tunnel works…

If I change the definition on the second tunnel to
172.20.20.0/24
192.168.11.0/24 WAN 10.0.0.2
the tunnels are beeing established - of course this doesn't get me any further :(

It just proves that multi-tunnels work and multi tunnels with the same target net or source net definitions don't. Maybe Mr. Ullrich could have a look into this as I think it's a parsing error of some kind. Where this is merely a guess in the dark ;)

Thanks again,
Andreas

jahonix

@prkon:

ok, wir haben dem business-team übergeben….
Ergebnisse erschienen HIER ....vielleicht soon ....?

Did you contact them?

Sylhouette

Like i said i use this on M0n0wall.
Could it be the type of tunnel?

this is the rest of my ipsec tunnel config

Interface WAN
Local Subnet Type Network
192.168.0.0 /24
Remote Subnet 192.168.1.0 /24
Remote Gateway 244.244.244.244

Description test

Phase 1 proposal (Authentication)

Negotiation mode Aggressive
My identifier My ipadress
Encryption algorithm 3Des
Hash algorithm SHA1
DH key group 2
Authentication method pre shared key
Pre-Shared Key your preshared key (i use different ones for each tunnel.)

Phase 2 proposal (SA/Key Exchange)

Protocol ESP
Encryption algorithms 3Des
Hash algorithm SHA1
PFS key group off

that is the rest of my config.
I am not able to test pfsense for the tunnel at the moment.

regards,
Johan