4. 2 tunnels : same remote config, but 2 different local subnets

2 tunnels : same remote config, but 2 different local subnets

  • ?

    Hello,

    I have two IPSEC tunnels created.

    The remote parameters for both tunnels are exactly the same.

    The only difference between the 2 tunnels is the local subnet. First tunnel is for local subnet 192.168.1.0, second tunnel is for local subnet 192.168.2.0

    They both look ON (green) on the Ipsec Overview Status.

    But I always have the following error message :

    racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 10.76.20.92/32[0] proto=any dir=out
    racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 10.76.20.92/32[0] proto=any dir=out
    racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.1/32[0] 192.168.1.0/24[0] proto=any dir=out
    racoon: ERROR: such policy already exists. anyway replace it: 10.76.20.92/32[0] 192.168.2.0/24[0] proto=any dir=in
    racoon: ERROR: such policy already exists. anyway replace it: 10.76.20.92/32[0] 192.168.1.0/24[0] proto=any dir=in
    racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.1/32[0] proto=any dir=in

    Does pfsense allow to create tunnels that similar (i mean tunnels that differ only with local subnet) ?

    And if so, will these errors message "lead" to some communication errors ?

    Thank you.

    (pfsense 1.2)

    0
  • H

    from the same wan ip with a different subnet on one side you need different FQDN´s. Parallel Tunnel with the same WAN IP runs only in the aggressive mode. The FQDN Name is your free choice….

    Example:

    192.168.6.0/24 ----> FQDN : dmz@pfsense.org --> 192.168.10.0/24 (Same WAN IP)
    192.168.6.0/24 -----> FQDN : lan@pfsense.org --> 192.168.20.0/24 (Same WAN IP)

    0
  • C

    Sorry if this is dumb question but I am doing the same thing and was looking for a little more details.

    I have the following:

    MAN1 going to pfsense WAN w/ lan 172.16.22.0
    MAN1 going to pfsense WAN w/ lan2 10.50.75.0

    The MAN1 has one pub IP and one lan subnet, the WAN on other end has 2 lan subnets.

    I tried to set the pfsense side that had 2 lan subnets to use My identifier: User FQDN: casa@mydomain.com on the first one and phones@mydomain.com on the second one however the VPN's went down and stayed dead. Do I need to set the other side to match on the User FQDN or did I miss something?

    I am running 1.2final,

    Thx

    0
  • H

    Yes, you need on both endpoint the same FQDN-identifier but different lan subnets, that´s the trick

    0
  • C

    So because only 1 end has multi subnets this wont work? or am I missunderstanding and so long as I use FQDN and they match on both sides for both tunnels (each tunnel uniq FQDN of course) I am good?

    One end has 1 pub and 1 lan subnet, other has 1 pub and 2 lan subnets.

    Right now I have the original posters problem but they do work, just is a mess.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy