Route traffic between ipsec vpn sites


  • Hi all, I have a pfsense installation with two site to site vpn tunnels working. Both remote sites are not pfsense and only provide 1 ipscec tunnel which is used to connect to pfsense. Network looks like:

    PFSense: 10.100.100.1/24
    Remote 1: 10.1.10.1/24
    Remote 2: 10.1.11.1/24

    Can ping from pfsense network to both remote networks
    Can ping from both remote networks back to pfsense network
    Need to ping from Remote network 1 to Remote network 2

    I'd like both remote sites to be able to ping each other but since the remote devices only support 1 tunnel I can't create a tunnel between the two, it looks like I will have to route traffic thru pfsense somehow.

    Right now my PFSense firewall is wide open "Any->Any" but I don't know what to do to route traffic between the tunnels.

    I tried adding static routes on the remote device's : route 10.1.10.0/24 to gateway 10.100.100.1 and route 10.1.11.0/24 to gateway 10.100.100.1

    That didn't work.

    Can anyone point me in the right direction? Sorry, Total newbie here.

    Thx

  • LAYER 8 Netgate

    You need another phase 2 entry on Remote 1 for source 10.1.10.0/24 dest 10.1.11.0/24

    And on Remote 2 for source 10.1.11.0/24 dest 10.1.10.0/24.

    Depending on your design you might be able to get away with changing the dest to 10.0.0.0/8 on both existing Phase 2 entries.

    Naturally corresponding phase 2 entries on pfSense would be required.


  • You can try to binat traffic on one ipsec tunnel to the other!
    That should allow you to do this.


  • @Derelict:

    You need another phase 2 entry on Remote 1 for source 10.1.10.0/24 dest 10.1.11.0/24

    And on Remote 2 for source 10.1.11.0/24 dest 10.1.10.0/24.

    Depending on your design you might be able to get away with changing the dest to 10.0.0.0/8 on both existing Phase 2 entries.

    Naturally corresponding phase 2 entries on pfSense would be required.

    Doesn't look like I can add another phase 2 to the remote device. I think my design should allow us to try 10.0.0.0/8 like you said. Trying that now


  • @ermal:

    You can try to binat traffic on one ipsec tunnel to the other!
    That should allow you to do this.

    Will try this thx.

  • LAYER 8 Netgate

    @NinjaActionJeans:

    Doesn't look like I can add another phase 2 to the remote device.

    Primary reason I'm replacing Cisco RV042s with pfSense.  That and a lack of OpenVPN.  Good luck.


  • @Derelict:

    @NinjaActionJeans:

    Doesn't look like I can add another phase 2 to the remote device.

    Primary reason I'm replacing Cisco RV042s with pfSense.  That and a lack of OpenVPN.  Good luck.

    10.0.0.0/8 worked thx!!