Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help with routing please (IPSEC)

    Scheduled Pinned Locked Moved Routing and Multi WAN
    11 Posts 3 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kchiefs
      last edited by

      Hello everyone.  I'm having a issue with routing and I think i have been staring at it too long to be able to fix it.

      Here is what i have.

      Site A -> 192.168.1.0
      Site B -> 192.168.2.0
      Site C -> 192.168.3.0

      Site A and B connect IPSEC to site C.

      Inside site C i have a second network 10.27.21.0.

      I need A and B to be able to access the 10. network.

      I have a static route in C that says 10.27.21.0/24 –> Gateway of 192.168.3.5.

      I can ping 10.27.21.1 from the PFSENSE at C, i can ping from a PC in C to the 10. net

      I can't figure it out.  But I'm sure I'm not routing it right somewhere.  I even tried in A putting a route on the PC as well as in the router and still no go.

      The routers at A and B are tplink

      1 Reply Last reply Reply Quote 0
      • K
        kchiefs
        last edited by

        To add.

        I also have a rule at the top of IPSEC to send 10.27.21.0 traffic to the gateway 192.168.3.5

        1 Reply Last reply Reply Quote 0
        • P
          pfSensible
          last edited by

          I naively thought I would be able to figure this one out but this is beyond my abilities.  I sketched out the network as I understand it but got no further (is it correct?).  This topic interests me as well since I would like to do something similar.

          PFSense_ipSec.PNG
          PFSense_ipSec.PNG_thumb

          The NSA is a terrorist organization that must be stopped.

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            Hello!

            I have a static route in C that says 10.27.21.0/24 –> Gateway of 192.168.3.5.

            This route has not any benefit for sites A and B.
            You need a static route at hosts that establish IPSec connections to C.

            I also have a rule at the top of IPSEC to send 10.27.21.0 traffic to the gateway 192.168.3.5

            This rule also is useless. You need a rule to allow traffic from IPSec to the nets you want, but not to the local IPSec gateway.

            For your purposes OpenVPN will be more suitable. Here you can configurate at server side, which routes are be to set on clients.

            1 Reply Last reply Reply Quote 0
            • K
              kchiefs
              last edited by

              @viragomann:

              Hello!

              I have a static route in C that says 10.27.21.0/24 –> Gateway of 192.168.3.5.

              This route has not any benefit for sites A and B.
              You need a static route at hosts that establish IPSec connections to C.

              I had already added those at site A.  I'm only working with A until I get it working.  I added it to the windows machine with no luck as well as in the router at A.  Maybe I'm not adding it correctly.  This was my command in cmd on the windows machine:
                route -p add 10.27.21.0 mask 255.255.255.0 192.168.3.5
              i also tried 3.1 which is the gateway of the 3.0 network, but i am pretty sure that wouldn't work anyway.

              I was guessing that since i can ping the entire 3.0 network, the pc should understand to send that traffic to 3.5 across the ipsec tunnel.

              I should also add that the 3.5 device is the router for the 10.27.21.0 network.  I do not have access to this device.  this is the connection between the two.

              I also have a rule at the top of IPSEC to send 10.27.21.0 traffic to the gateway 192.168.3.5

              This rule also is useless. You need a rule to allow traffic from IPSec to the nets you want, but not to the local IPSec gateway.

              For your purposes OpenVPN will be more suitable. Here you can configurate at server side, which routes are be to set on clients.

              The 3.5 is not the local gateway.  it is the gateway for the 10.27 network. 3.1 is the lan gateway.  Also from A i can ping anything on the 3.0 network, (the 3.5 is not-pingable).  I'm trying to ping 10.27.21.1 from A.
              I should also mention that after fixing my route, ( i had put 21.1 instead of 21.0 for the network) i was seeing from C the traceroute from A trying to get to the 10. network.  but i was not getting traffic past that, that I could see anyway. so i have to be getting close.

              1 Reply Last reply Reply Quote 0
              • K
                kchiefs
                last edited by

                @pfSensible:

                I naively thought I would be able to figure this one out but this is beyond my abilities.  I sketched out the network as I understand it but got no further (is it correct?).  This topic interests me as well since I would like to do something similar.

                Logically it looks pretty close.  It should be noted that physically 2.1 and 1.1 are tplink routers.  To me it looks like it should be simple.  I am really considering changing out the tplinks for pfsense just to have consistency.

                1 Reply Last reply Reply Quote 0
                • V
                  viragomann
                  last edited by

                  Your primary description is very incomplete! Okay, here are some points:

                  If 192.168.3.5 is the gateway to 10.27.21.0/24 you need to add is as gateway on pfSense and also set up a static route for this net to use this gateway.

                  If you use the Windows IPSec client in its default setting it routes any traffic over IPSec tunnel anyway except local networks. So the route is not necessary. Otherwise you have to use the "Remote gareway" of your IPSec server in route command.

                  1 Reply Last reply Reply Quote 0
                  • K
                    kchiefs
                    last edited by

                    @viragomann:

                    Your primary description is very incomplete! Okay, here are some points:

                    If 192.168.3.5 is the gateway to 10.27.21.0/24 you need to add is as gateway on pfSense and also set up a static route for this net to use this gateway.

                    If you use the Windows IPSec client in its default setting it routes any traffic over IPSec tunnel anyway except local networks. So the route is not necessary. Otherwise you have to use the "Remote gareway" of your IPSec server in route command.

                    I have already put the route in the pfsense router for the 3.5 device.  I can ping across it from the 3.0 network and can access 10.27.21.0 network from the 3.0 network.  I just can't get the remote sites to get data over.  I'm using the tplink routers at A and B as the IPSEC endpoints.  I'm not using the windows ipsec client.  I will try putting the remote gateway into the route command.

                    1 Reply Last reply Reply Quote 0
                    • V
                      viragomann
                      last edited by

                      I'm using the tplink routers at A and B as the IPSEC endpoints

                      That means the routers make the IPSec connection. So the router also have to make the routing.

                      If the Windows client don't know the network 10.27.21.0/24, what I suppose, the traffic is routed over the default gateway which is set in Windows. That will be the router and it have to do the rest.

                      1 Reply Last reply Reply Quote 0
                      • K
                        kchiefs
                        last edited by

                        @viragomann:

                        I'm using the tplink routers at A and B as the IPSEC endpoints

                        That means the routers make the IPSec connection. So the router also have to make the routing.

                        If the Windows client don't know the network 10.27.21.0/24, what I suppose, the traffic is routed over the default gateway which is set in Windows. That will be the router and it have to do the rest.

                        Yes, which is why i am confused as to why putting a static route into the pc doesn't work at the remote site.  Before I opened the entire 3.0 network up to the 10.27 network I would just simply insert a static route into the pc's that needed into the 10. network which was just a few pc's.

                        1 Reply Last reply Reply Quote 0
                        • K
                          kchiefs
                          last edited by

                          In case anyone else has this problem.  The fix is to just create a second ipsec tunnel to the other subnet.  This is what happens when you try to over think things.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.