4. (Solved) Setting up multiple IPsec VPNs

(Solved) Setting up multiple IPsec VPNs

  • A

    pfSense 2.1.5

    I have two branch offices with the same subnet - 192.168.1.0/24
    Both branches need to connect to the same HQ office at IP 198.145.XXX.YYY
    Branch A has a server at 10.10.10.21/30
    Branch B has a server at 10.10.10.28/30
    I don't want communication between branches.
    Branches have SonicWALL devices.

    I have been running the first branch fine for months; no issues.  With the addition of the second branch I get trouble.
    In the HQ pfSense, Firewall, Rules, IPsec I have a destination set to the specific server this branch needs to access (10.10.10.21/30)  When I created the second rule I realized I had to make a determination that this branch needs to only access their server at 10.10.10.28/30.  Since both offices have the same subnet, I can't set a rule up that says source = 192.168.1.0/24.

    What is the best way to handle this?  Do I need to setup an external IP for each branch at the HQ and IPsec tunnel to that?  Do I change a port…?

    Thanks.

    0
  • LAYER 8 Netgate

    @awsiemieniec:

    pfSense 2.1.5

    I have two branch offices with the same subnet - 192.168.1.0/24

    Oops.

    Both branches need to connect to the same HQ office at IP 198.145.XXX.YYY
    Branch A has a server at 10.10.10.21/30
    Branch B has a server at 10.10.10.28/30
    I don't want communication between branches.
    Branches have SonicWALL devices.

    I have been running the first branch fine for months; no issues.  With the addition of the second branch I get trouble.
    In the HQ pfSense, Firewall, Rules, IPsec I have a destination set to the specific server this branch needs to access (10.10.10.21/30)  When I created the second rule I realized I had to make a determination that this branch needs to only access their server at 10.10.10.28/30.  Since both offices have the same subnet, I can't set a rule up that says source = 192.168.1.0/24.

    What is the best way to handle this?  Do I need to setup an external IP for each branch at the HQ and IPsec tunnel to that?  Do I change a port…?

    Thanks.

    As far as I know, at least one of the SonicWALLs will have to 1:1 NAT their LAN and present it as something else so pfSense doesn't have two routes to the same subnet.

    That or renumber one of them.

    0
  • A

    Thanks!

    So, to summarize - all IPsec tunnels have to have a unique subnet on the "distant"/client side when looking at the subnet from the pfSense/HQ/server side.  Is that right?

    As far as 2.1.5 - I had big problems upgrading from 2.1.5 to some 2.2 version a while back and had to restore back from an image taken before the upgrade.  I know - I need to update that sucker.

    0
  • D

    Yes, all remote sides need to have different subnets. In your case you would have 3

    VPN Core - Subnet #1
    Remote Site 1 - Subnet #2
    Remote Site 2 - Subnet #3

    There might be some ugly hacks to make it work, if it were me i would just re-subnet/ip the site.

    0
  • A

    Thank you all for the assistance.  I did change the subnet on one of the branch offices and all went smooth after that.

    Thanks.  :)

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy