Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Hub and Spoke help

    IPsec
    3
    4
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 3
      3vian
      last edited by

      I'm trying to get a hub and spoke network working for three sites. At this stage a mesh network is not possible.

      Let's call them Remote A, Remote B and HQ. At the moment HQ is connected to RA and RB, but I can't get traffic between RA and RB (as expected), but my understanding is that a second Phase 2 could solve the problem.

      FYI RA and HQ are both running 2.1.5, while RB is using a Cisco ASA 5505. The Cisco 5505 doesn't support FQDNs which is why a mesh network won't work as RA has a dynamic IP. Hopefully the Cisco ASA 5505 won't be a blocking point. The Cisco box will be replaced with PFSense shortly, but I will still want to get hub and spoke working for other reasons.

      I'm just not sure what subnets to put in the Phase 2 setups. I looked around the forum and there is a mention of such a setup, but it isn't clear to me.

      Any help would be greatly appreciated.

      @ggiants81:

      Hi there.
      Is it possible for Pfsense to for instance have two ipsec tunnels , like A and B where A remote network is 10.10.10.0/24 and B remote network is 10.10.11.0/24 so that remote net A can reach remote net B through the IPSEC tunnel to pfsense ? Like a hub and spoke .

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        That works fine if you put the right Phase 2 networks on there.

        Tunnel to A
        P2 for Main to A
        P2 for B to A

        Tunnel to B
        P2 for Main to B
        P2 for A to B

        And on the other side, the reverse direction of each.

        Remember: Upvote with the šŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • K
          kfm
          last edited by

          Hi jimp,

          Hope to refresh this thread is OK. I found it by searching and you'll see I'm a newbie.

          I apreciated your answer above pointing to the direction to go but unfortunately I failed.

          I have the main firewall (fixed public ip) and two "satellites" (natted behind routers) each establishing an ipsec tunnel to main (works fine). Now I would like to enable communication between the satellites.

          Main fw:
          Phase1 to sat1
          Ā  Phase2 LAN to sat1 (192.168.10.0/24)
          Ā  Phase2 sat2 (192.168.20.0/24) to sat1 (192.168.10.0/24)
          Phase1 to sat2
          Ā  Phase2 LAN to sat2 (192.168.20.0/24)
          Ā  Phase2 sat1 (192.168.10.0/24) to sat1 (192.168.20.0/24)

          sat1:
          Phase1 to main
          Ā  Phase2 LAN to main (192.168.30.0/24)
          Ā  Phase2 LAN to sat2 (192.168.20.0/24)

          sat2:
          Phase1 to main
          Ā  Phase2 LAN to main (192.168.30.0/24)
          Ā  Phase2 LAN to sat1 (192.168.10.0/24)

          What is wrong?

          Thank you or someone else very much in advance!
          Uwe

          1 Reply Last reply Reply Quote 0
          • K
            kfm
            last edited by

            Nothing was wrong - it works!

            Menu: Status - IPSec: Disconnect/Reconnect have to be used!

            Uwe

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.