IPSEC Tunnels / Routing in between

DrMxxxxx

Hi All,

I have some questions about IPSEC-Tunnels with different local and remote Networks.

Basic Information:
Two Branch Offices with dynamic official IP-Adresses and different Subnets.
Two Datacenter with fixed IPs, a VPN Tunnel between and different Subnets.

Branch 1 Network (Cisco UC540) -> 10.50.26.0/26
Branch 2 Network (Meraki MX64w)-> 10.50.26.64/26

DC 1 Network (ASA - no Access to the configuration) -> 10.60.4.0/25
DC 2 Network (pfsense) -> 10.60.5.0/24 (in this Network is the pfsense)

I want now, that the two Branch Offices have a VPN Tunnel to the pfsense and can reach all other Networks.

The Situation at the Moment is this:

Branch 1 -> VPN -> DC 2: Can reach DC 1 and DC 2
Branch 2 -> VPN -> DC 2: Can reach DC 1 and DC 2
DC 1 -> VPN -> DC 2: Can reach all

So, for example, from my PC in Branch 2 I can reach all Servers in DC 1 and DC 2, but I cannot reach the UC540 in Branch 1.

Can someone help me with the configuration?

Thanks a lot! :)

Kind regards,
DrMxxxxx

kopie0123

Hi,

whats about an IPSEC Tunnel between Branch 1 and 2?

Regards

DrMxxxxx

Hi kopie0123,

thanks for the answer.

Both Branch Offices have dynamic IP addresses and Branch 2 has a IPv6 IP. That can reach other IPv4 Devices via a Gateway.

Do you mean using dyndns?

Kind regards,
M

georgeman

So you want connectivity between Branch1 and Branch2, through DC2 right?

You just need to add another Phase2 on each of the branches and DC2, with the appropriate subnets:

Phase1 between DC2 and Branch1
On Branch1:
Local subnet: 10.50.26.0/26
Remote subnet: 10.50.26.64/26
On DC2:
Local subnet: 10.50.26.64/26
Remote subnet: 10.50.26.0/26

Phase1 between DC2 and Branch2
On Branch2:
Local subnet: 10.50.26.64/26
Remote subnet: 10.50.26.0/26
On DC2:
Local subnet: 10.50.26.0/26
Remote subnet: 10.50.26.64/26

Of course you could do the same by routing through the other data center.

Best regards!

DrMxxxxx

Hi georgeman,

thanks for the answer. I had similar thoughts about that. :)

But my two Branches have dynamic IP addresses, so I cannot make a Phase 1 with a dedicated Remote Gateway. I had to "allow" any remote Gateway and make a very strong PW. ;)

Can you help me how I can make two Phase 1 for the two Branches and add to them then the needed Networks?

Edit: He has the same Problem as me: https://forum.pfsense.org/index.php?topic=98956.0

Thanks!

Kind regards,
DrMxxxxx

georgeman

But the VPN connections are already established and working right? Just add another Ph2 within the already configured Ph1

DrMxxxxx

Hi,

at the Moment it is configured like in the attached Picture. I know that this cannot work, because the FW has no Differentiation, which Network is in which "tunnel".

But that is the question I have. How can I manage two Tunnels from devices with dynamic IPs, that have to be routed over the pfsense.

Many thanks! :)

Kind regards,
DrM

![IPSec Config 20160131.JPG](/public/imported_attachments/1/IPSec Config 20160131.JPG)
![IPSec Config 20160131.JPG_thumb](/public/imported_attachments/1/IPSec Config 20160131.JPG_thumb)

georgeman

Sorry, my bad. I did this several times but the "branches" were in fact OpenVPN tunnels, and they were connected through an IPsec tunnel between the main sites.

On the basis of how all this work, I don't think you can do what I mentioned earlier (although I never tried)

Probably your best bet is to use some dynamic DNS so you can establish a direct Ph1 between the branches, since you'll be able to ditch the 0.0.0.0/0 requirement