Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC Tunnels / Routing in between

    Scheduled Pinned Locked Moved IPsec
    8 Posts 3 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DrMxxxxx
      last edited by

      Hi All,

      I have some questions about IPSEC-Tunnels with different local and remote Networks.

      Basic Information:
      Two Branch Offices with dynamic official IP-Adresses and different Subnets.
      Two Datacenter with fixed IPs, a VPN Tunnel between and different Subnets.

      Branch 1 Network (Cisco UC540) -> 10.50.26.0/26
      Branch 2 Network (Meraki MX64w)-> 10.50.26.64/26

      DC 1 Network (ASA - no Access to the configuration) -> 10.60.4.0/25
      DC 2 Network (pfsense) -> 10.60.5.0/24 (in this Network is the pfsense)

      I want now, that the two Branch Offices have a VPN Tunnel to the pfsense and can reach all other Networks.

      The Situation at the Moment is this:

      Branch 1 -> VPN -> DC 2: Can reach DC 1 and DC 2
      Branch 2 -> VPN -> DC 2: Can reach DC 1 and DC 2
      DC 1 -> VPN -> DC 2: Can reach all

      So, for example, from my PC in Branch 2 I can reach all Servers in DC 1 and DC 2, but I cannot reach the UC540 in Branch 1.

      Can someone help me with the configuration?

      Thanks a lot! :)

      Kind regards,
      DrMxxxxx

      1 Reply Last reply Reply Quote 0
      • K
        kopie0123
        last edited by

        Hi,

        whats about an IPSEC Tunnel between Branch 1 and 2?

        Regards

        1 Reply Last reply Reply Quote 0
        • D
          DrMxxxxx
          last edited by

          Hi kopie0123,

          thanks for the answer.

          Both Branch Offices have dynamic IP addresses and Branch 2 has a IPv6 IP. That can reach other IPv4 Devices via a Gateway.

          Do you mean using dyndns?

          Kind regards,
          M

          1 Reply Last reply Reply Quote 0
          • G
            georgeman
            last edited by

            So you want connectivity between Branch1 and Branch2, through DC2 right?

            You just need to add another Phase2 on each of the branches and DC2, with the appropriate subnets:

            Phase1 between DC2 and Branch1
            On Branch1:
            Local subnet: 10.50.26.0/26
            Remote subnet: 10.50.26.64/26
            On DC2:
            Local subnet: 10.50.26.64/26
            Remote subnet: 10.50.26.0/26

            Phase1 between DC2 and Branch2
            On Branch2:
            Local subnet: 10.50.26.64/26
            Remote subnet: 10.50.26.0/26
            On DC2:
            Local subnet: 10.50.26.0/26
            Remote subnet: 10.50.26.64/26

            Of course you could do the same by routing through the other data center.

            Best regards!

            If it ain't broke, you haven't tampered enough with it

            1 Reply Last reply Reply Quote 0
            • D
              DrMxxxxx
              last edited by

              Hi georgeman,

              thanks for the answer. I had similar thoughts about that. :)

              But my two Branches have dynamic IP addresses, so I cannot make a Phase 1 with a dedicated Remote Gateway. I had to "allow" any remote Gateway and make a very strong PW. ;)

              Can you help me how I can make two Phase 1 for the two Branches and add to them then the needed Networks?

              Edit: He has the same Problem as me: https://forum.pfsense.org/index.php?topic=98956.0

              Thanks!

              Kind regards,
              DrMxxxxx

              1 Reply Last reply Reply Quote 0
              • G
                georgeman
                last edited by

                But the VPN connections are already established and working right? Just add another Ph2 within the already configured Ph1

                If it ain't broke, you haven't tampered enough with it

                1 Reply Last reply Reply Quote 0
                • D
                  DrMxxxxx
                  last edited by

                  Hi,

                  at the Moment it is configured like in the attached Picture. I know that this cannot work, because the FW has no Differentiation, which Network is in which "tunnel".

                  But that is the question I have. How can I manage two Tunnels from devices with dynamic IPs, that have to be routed over the pfsense.

                  Many thanks! :)

                  Kind regards,
                  DrM

                  ![IPSec Config 20160131.JPG](/public/imported_attachments/1/IPSec Config 20160131.JPG)
                  ![IPSec Config 20160131.JPG_thumb](/public/imported_attachments/1/IPSec Config 20160131.JPG_thumb)

                  1 Reply Last reply Reply Quote 0
                  • G
                    georgeman
                    last edited by

                    Sorry, my bad. I did this several times but the "branches" were in fact OpenVPN tunnels, and they were connected through an IPsec tunnel between the main sites.

                    On the basis of how all this work, I don't think you can do what I mentioned earlier (although I never tried)

                    Probably your best bet is to use some dynamic DNS so you can establish a direct Ph1 between the branches, since you'll be able to ditch the 0.0.0.0/0 requirement

                    If it ain't broke, you haven't tampered enough with it

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.