IPSEC Tunnels / Routing in between



  • Hi All,

    I have some questions about IPSEC-Tunnels with different local and remote Networks.

    Basic Information:
    Two Branch Offices with dynamic official IP-Adresses and different Subnets.
    Two Datacenter with fixed IPs, a VPN Tunnel between and different Subnets.

    Branch 1 Network (Cisco UC540) -> 10.50.26.0/26
    Branch 2 Network (Meraki MX64w)-> 10.50.26.64/26

    DC 1 Network (ASA - no Access to the configuration) -> 10.60.4.0/25
    DC 2 Network (pfsense) -> 10.60.5.0/24 (in this Network is the pfsense)

    I want now, that the two Branch Offices have a VPN Tunnel to the pfsense and can reach all other Networks.

    The Situation at the Moment is this:

    Branch 1 -> VPN -> DC 2: Can reach DC 1 and DC 2
    Branch 2 -> VPN -> DC 2: Can reach DC 1 and DC 2
    DC 1 -> VPN -> DC 2: Can reach all

    So, for example, from my PC in Branch 2 I can reach all Servers in DC 1 and DC 2, but I cannot reach the UC540 in Branch 1.

    Can someone help me with the configuration?

    Thanks a lot! :)

    Kind regards,
    DrMxxxxx



  • Hi,

    whats about an IPSEC Tunnel between Branch 1 and 2?

    Regards



  • Hi kopie0123,

    thanks for the answer.

    Both Branch Offices have dynamic IP addresses and Branch 2 has a IPv6 IP. That can reach other IPv4 Devices via a Gateway.

    Do you mean using dyndns?

    Kind regards,
    M



  • So you want connectivity between Branch1 and Branch2, through DC2 right?

    You just need to add another Phase2 on each of the branches and DC2, with the appropriate subnets:

    Phase1 between DC2 and Branch1
    On Branch1:
    Local subnet: 10.50.26.0/26
    Remote subnet: 10.50.26.64/26
    On DC2:
    Local subnet: 10.50.26.64/26
    Remote subnet: 10.50.26.0/26

    Phase1 between DC2 and Branch2
    On Branch2:
    Local subnet: 10.50.26.64/26
    Remote subnet: 10.50.26.0/26
    On DC2:
    Local subnet: 10.50.26.0/26
    Remote subnet: 10.50.26.64/26

    Of course you could do the same by routing through the other data center.

    Best regards!



  • Hi georgeman,

    thanks for the answer. I had similar thoughts about that. :)

    But my two Branches have dynamic IP addresses, so I cannot make a Phase 1 with a dedicated Remote Gateway. I had to "allow" any remote Gateway and make a very strong PW. ;)

    Can you help me how I can make two Phase 1 for the two Branches and add to them then the needed Networks?

    Edit: He has the same Problem as me: https://forum.pfsense.org/index.php?topic=98956.0

    Thanks!

    Kind regards,
    DrMxxxxx



  • But the VPN connections are already established and working right? Just add another Ph2 within the already configured Ph1



  • Hi,

    at the Moment it is configured like in the attached Picture. I know that this cannot work, because the FW has no Differentiation, which Network is in which "tunnel".

    But that is the question I have. How can I manage two Tunnels from devices with dynamic IPs, that have to be routed over the pfsense.

    Many thanks! :)

    Kind regards,
    DrM

    ![IPSec Config 20160131.JPG](/public/imported_attachments/1/IPSec Config 20160131.JPG)
    ![IPSec Config 20160131.JPG_thumb](/public/imported_attachments/1/IPSec Config 20160131.JPG_thumb)



  • Sorry, my bad. I did this several times but the "branches" were in fact OpenVPN tunnels, and they were connected through an IPsec tunnel between the main sites.

    On the basis of how all this work, I don't think you can do what I mentioned earlier (although I never tried)

    Probably your best bet is to use some dynamic DNS so you can establish a direct Ph1 between the branches, since you'll be able to ditch the 0.0.0.0/0 requirement