Help with routing please (IPSEC)



  • Hello everyone.  I'm having a issue with routing and I think i have been staring at it too long to be able to fix it.

    Here is what i have.

    Site A -> 192.168.1.0
    Site B -> 192.168.2.0
    Site C -> 192.168.3.0

    Site A and B connect IPSEC to site C.

    Inside site C i have a second network 10.27.21.0.

    I need A and B to be able to access the 10. network.

    I have a static route in C that says 10.27.21.0/24 –> Gateway of 192.168.3.5.

    I can ping 10.27.21.1 from the PFSENSE at C, i can ping from a PC in C to the 10. net

    I can't figure it out.  But I'm sure I'm not routing it right somewhere.  I even tried in A putting a route on the PC as well as in the router and still no go.

    The routers at A and B are tplink



  • To add.

    I also have a rule at the top of IPSEC to send 10.27.21.0 traffic to the gateway 192.168.3.5



  • I naively thought I would be able to figure this one out but this is beyond my abilities.  I sketched out the network as I understand it but got no further (is it correct?).  This topic interests me as well since I would like to do something similar.




  • Hello!

    I have a static route in C that says 10.27.21.0/24 –> Gateway of 192.168.3.5.

    This route has not any benefit for sites A and B.
    You need a static route at hosts that establish IPSec connections to C.

    I also have a rule at the top of IPSEC to send 10.27.21.0 traffic to the gateway 192.168.3.5

    This rule also is useless. You need a rule to allow traffic from IPSec to the nets you want, but not to the local IPSec gateway.

    For your purposes OpenVPN will be more suitable. Here you can configurate at server side, which routes are be to set on clients.



  • @viragomann:

    Hello!

    I have a static route in C that says 10.27.21.0/24 –> Gateway of 192.168.3.5.

    This route has not any benefit for sites A and B.
    You need a static route at hosts that establish IPSec connections to C.

    I had already added those at site A.  I'm only working with A until I get it working.  I added it to the windows machine with no luck as well as in the router at A.  Maybe I'm not adding it correctly.  This was my command in cmd on the windows machine:
      route -p add 10.27.21.0 mask 255.255.255.0 192.168.3.5
    i also tried 3.1 which is the gateway of the 3.0 network, but i am pretty sure that wouldn't work anyway.

    I was guessing that since i can ping the entire 3.0 network, the pc should understand to send that traffic to 3.5 across the ipsec tunnel.

    I should also add that the 3.5 device is the router for the 10.27.21.0 network.  I do not have access to this device.  this is the connection between the two.

    I also have a rule at the top of IPSEC to send 10.27.21.0 traffic to the gateway 192.168.3.5

    This rule also is useless. You need a rule to allow traffic from IPSec to the nets you want, but not to the local IPSec gateway.

    For your purposes OpenVPN will be more suitable. Here you can configurate at server side, which routes are be to set on clients.

    The 3.5 is not the local gateway.  it is the gateway for the 10.27 network. 3.1 is the lan gateway.  Also from A i can ping anything on the 3.0 network, (the 3.5 is not-pingable).  I'm trying to ping 10.27.21.1 from A.
    I should also mention that after fixing my route, ( i had put 21.1 instead of 21.0 for the network) i was seeing from C the traceroute from A trying to get to the 10. network.  but i was not getting traffic past that, that I could see anyway. so i have to be getting close.



  • @pfSensible:

    I naively thought I would be able to figure this one out but this is beyond my abilities.  I sketched out the network as I understand it but got no further (is it correct?).  This topic interests me as well since I would like to do something similar.

    Logically it looks pretty close.  It should be noted that physically 2.1 and 1.1 are tplink routers.  To me it looks like it should be simple.  I am really considering changing out the tplinks for pfsense just to have consistency.



  • Your primary description is very incomplete! Okay, here are some points:

    If 192.168.3.5 is the gateway to 10.27.21.0/24 you need to add is as gateway on pfSense and also set up a static route for this net to use this gateway.

    If you use the Windows IPSec client in its default setting it routes any traffic over IPSec tunnel anyway except local networks. So the route is not necessary. Otherwise you have to use the "Remote gareway" of your IPSec server in route command.



  • @viragomann:

    Your primary description is very incomplete! Okay, here are some points:

    If 192.168.3.5 is the gateway to 10.27.21.0/24 you need to add is as gateway on pfSense and also set up a static route for this net to use this gateway.

    If you use the Windows IPSec client in its default setting it routes any traffic over IPSec tunnel anyway except local networks. So the route is not necessary. Otherwise you have to use the "Remote gareway" of your IPSec server in route command.

    I have already put the route in the pfsense router for the 3.5 device.  I can ping across it from the 3.0 network and can access 10.27.21.0 network from the 3.0 network.  I just can't get the remote sites to get data over.  I'm using the tplink routers at A and B as the IPSEC endpoints.  I'm not using the windows ipsec client.  I will try putting the remote gateway into the route command.



  • I'm using the tplink routers at A and B as the IPSEC endpoints

    That means the routers make the IPSec connection. So the router also have to make the routing.

    If the Windows client don't know the network 10.27.21.0/24, what I suppose, the traffic is routed over the default gateway which is set in Windows. That will be the router and it have to do the rest.



  • @viragomann:

    I'm using the tplink routers at A and B as the IPSEC endpoints

    That means the routers make the IPSec connection. So the router also have to make the routing.

    If the Windows client don't know the network 10.27.21.0/24, what I suppose, the traffic is routed over the default gateway which is set in Windows. That will be the router and it have to do the rest.

    Yes, which is why i am confused as to why putting a static route into the pc doesn't work at the remote site.  Before I opened the entire 3.0 network up to the 10.27 network I would just simply insert a static route into the pc's that needed into the 10. network which was just a few pc's.



  • In case anyone else has this problem.  The fix is to just create a second ipsec tunnel to the other subnet.  This is what happens when you try to over think things.