Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing from A to B to C using IPsec tunnels

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 754 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      Norsak
      last edited by

      Hi,

      I currently have 3 sites connected via IPsec and pfSense:  A,B,C

      In total there will be 9 sites, so want to use B as a hub.

      So:
      A has IPsec to B
      C has IPsec to B

      B & A can ping each other
      B & C can ping each other

      But…
      A can not ping C

      I have:

      tried setting manual routes on A for C's Subnet ; And on C for A's subnet
      tried adding a second Phase 2 configuration on A for C's Subnet ; and vice versa

      But I did not stumble onto a working solution.
      What is the correct approach?

      Thanks in advance

      1 Reply Last reply Reply Quote 0
      • L
        ltctech
        last edited by

        Assuming that A, B, and C are all running pfSense it's relatively straightforward.

        Example LANs:
        Router A -> 10.10.0.0/24
        Router B -> 10.20.0.0/24
        Router C -> 10.30.0.0/24

        Router A
        –---------
        Phase 1 on A heading to B has two child Phase 2
        1. 10.10.0.0/24 -> 10.20.0.0/24
        2. 10.10.0.0/24 -> 10.30.0.0/24

        Router B (B must know what to do with transiting traffic, this is probably what you're missing)

        Phase 1 on B heading to A has two child Phase 2
        1. 10.20.0.0/24 -> 10.10.0.0/24
        2. 10.30.0.0/24 -> 10.10.0.0/24 (C -> A Transit)

        Phase 1 on B heading to C has two child Phase 2
        1. 10.20.0.0/24 -> 10.30.0.0/24
        2. 10.10.0.0/24 -> 10.30.0.0/24 (A -> C Transit)

        Router C

        Phase 1 on C heading to B has two child Phase 2
        1. 10.30.0.0/24 -> 10.20.0.0/24
        2. 10.30.0.0/24 -> 10.10.0.0/24

        Also make sure that under Firewall -> Rules -> IPSEC that you pass IPSEC traffic for anything (all asterisks in all columns) on all routers. After getting the tunnels up you can make finer grained rules if you want.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.