<![CDATA[Routing from A to B to C using IPsec tunnels]]>Hi,

I currently have 3 sites connected via IPsec and pfSense:  A,B,C

In total there will be 9 sites, so want to use B as a hub.

So:
A has IPsec to B
C has IPsec to B

B & A can ping each other
B & C can ping each other

But…
A can not ping C

I have:

tried setting manual routes on A for C's Subnet ; And on C for A's subnet
tried adding a second Phase 2 configuration on A for C's Subnet ; and vice versa

But I did not stumble onto a working solution.
What is the correct approach?

Thanks in advance

]]>https://forum.netgate.com/topic/90922/routing-from-a-to-b-to-c-using-ipsec-tunnelsRSS for NodeSat, 06 Jun 2026 20:16:35 GMTWed, 28 Oct 2015 13:38:40 GMT60<![CDATA[Reply to Routing from A to B to C using IPsec tunnels on Wed, 28 Oct 2015 22:45:46 GMT]]>Assuming that A, B, and C are all running pfSense it's relatively straightforward.

Example LANs:
Router A -> 10.10.0.0/24
Router B -> 10.20.0.0/24
Router C -> 10.30.0.0/24

Router A
–---------
Phase 1 on A heading to B has two child Phase 2
1. 10.10.0.0/24 -> 10.20.0.0/24
2. 10.10.0.0/24 -> 10.30.0.0/24

Router B (B must know what to do with transiting traffic, this is probably what you're missing)

Phase 1 on B heading to A has two child Phase 2
1. 10.20.0.0/24 -> 10.10.0.0/24
2. 10.30.0.0/24 -> 10.10.0.0/24 (C -> A Transit)

Phase 1 on B heading to C has two child Phase 2
1. 10.20.0.0/24 -> 10.30.0.0/24
2. 10.10.0.0/24 -> 10.30.0.0/24 (A -> C Transit)

Router C

Phase 1 on C heading to B has two child Phase 2
1. 10.30.0.0/24 -> 10.20.0.0/24
2. 10.30.0.0/24 -> 10.10.0.0/24

Also make sure that under Firewall -> Rules -> IPSEC that you pass IPSEC traffic for anything (all asterisks in all columns) on all routers. After getting the tunnels up you can make finer grained rules if you want.

]]>https://forum.netgate.com/post/579981https://forum.netgate.com/post/579981Wed, 28 Oct 2015 22:45:46 GMT