Routing from A to B to C using IPsec tunnels



  • Hi,

    I currently have 3 sites connected via IPsec and pfSense:  A,B,C

    In total there will be 9 sites, so want to use B as a hub.

    So:
    A has IPsec to B
    C has IPsec to B

    B & A can ping each other
    B & C can ping each other

    But…
    A can not ping C

    I have:

    tried setting manual routes on A for C's Subnet ; And on C for A's subnet
    tried adding a second Phase 2 configuration on A for C's Subnet ; and vice versa

    But I did not stumble onto a working solution.
    What is the correct approach?

    Thanks in advance



  • Assuming that A, B, and C are all running pfSense it's relatively straightforward.

    Example LANs:
    Router A -> 10.10.0.0/24
    Router B -> 10.20.0.0/24
    Router C -> 10.30.0.0/24

    Router A
    –---------
    Phase 1 on A heading to B has two child Phase 2
    1. 10.10.0.0/24 -> 10.20.0.0/24
    2. 10.10.0.0/24 -> 10.30.0.0/24

    Router B (B must know what to do with transiting traffic, this is probably what you're missing)

    Phase 1 on B heading to A has two child Phase 2
    1. 10.20.0.0/24 -> 10.10.0.0/24
    2. 10.30.0.0/24 -> 10.10.0.0/24 (C -> A Transit)

    Phase 1 on B heading to C has two child Phase 2
    1. 10.20.0.0/24 -> 10.30.0.0/24
    2. 10.10.0.0/24 -> 10.30.0.0/24 (A -> C Transit)

    Router C

    Phase 1 on C heading to B has two child Phase 2
    1. 10.30.0.0/24 -> 10.20.0.0/24
    2. 10.30.0.0/24 -> 10.10.0.0/24

    Also make sure that under Firewall -> Rules -> IPSEC that you pass IPSEC traffic for anything (all asterisks in all columns) on all routers. After getting the tunnels up you can make finer grained rules if you want.


Log in to reply