Opt1 interface at remote site



  • i have an interesting question, i hope someone can help me get some traction here.

    site A, and site B, with an IPSec tunnel between.  desktops at site B access servers at site a, exactly as you would expect.  Site A also has an Opt1, and all desktops and servers at Site A, can access all resources (multiple networks and devices) beyond the Opt1 interface because PFS-siteA has a route for 10.x.x.x/8 via opt1 gateway (which opt1 gateway is the cisco router)

    as depicted here:

    So, desktops at site B can open a PPTP vpn to the PPTP server at Site A, then they can also access resources beyond Opt1.  i would like them to not have to do this, it would be preferential to just have them use the IPSec tunnel thats already established between siteA and siteB.

    is this possible?  can someone shed some light for me here?  thanks!!



  • A bit strange setup. Why don't you terminate PPTP at pfSense?
    Generally I have to suggest to replace PPTP by a more secure VPN.

    However to achieve that site B cannot access networks beyond OPT1 just add a firewall rule to LAN interface that blocks hole traffic which source is your PPTP Pool and destination is your OPT1 network (10.x.x.x/8).

    Are there any difficulties?



  • no, I want them to access beyong Opt1, right now they cant.  they can ping the interface of opt1 and that's it.  they cannot ping the interface of the cisco router (but they can if the open pptp to the MS PPTP server)



  • Okay, I think I got it. You want that the clients at site B are able to access the 10.x.x.x/8 network over IPSec.
    I assume you have set an appropriate rule on IPSec interface to allow this.
    If the rule is correct it should work. The static route at pfSense A also is in force for IPSec traffic.

    Maybe it's a routing issue. Could it be that site B is part of 10.x.x.x/8?
    And there is another device in network responding to ping. At doubt check this with traceroute on a site B host.

    Otherwise post all your network at site A, B, IPSec tunnel.



  • Site A is 192.168.10.0/24
    Site B is 192.160.20.0/24

    Site A opt1 is 10.0.0.2
    Cisco Router is 10.0.0.1

    Site A has a secondary gateway created as 10.0.0.1, and a route for 10.0.0.0/8 pointed to 10.0.0.1 as gateway.



  • That seems like a routing issue. The IPsec tunnel will probably not know where the 10.0.0.0/8 network is, and so it can't send any traffic there.
    You will probably need to add another phase 2 setting to propagate 10.0.0.0/8