pfSense Support Subscription

Author Topic: IPSEC Client -> Site-to-Site VPN via PFsense  (Read 320 times)

0 Members and 1 Guest are viewing this topic.

Offline mdonner

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
IPSEC Client -> Site-to-Site VPN via PFsense
« on: February 14, 2017, 11:54:29 am »
Dear volks,

This is my first post so don't blame me :) I have the following situation:

- Windows Clients connects via Shrew Soft VPN Client to my PFsense (IPSEC / virtual IP Range therefore is 10.10.10.0/24)
- A Fortigate connects via IPSEC site-to-site into my PFsense (and has the network 192.168.90.0/24)
- my local network is 172.10.10.0/24  (where the PFsense sit in)

The goal is to be able to connect the Windows client to my PFsense and be able to access the 192.168.90.0/24 network

Actual i'm able to open the IPSEC from the windows client and access my local network (172.10.10.0)

I tried several things that should fix the issue, without success. Now i ask the pro's here ... what would help is to know

- what firewall rules needs to be in place
- actual i'm doing NAT on all tunnel - is this ok?

sidenote: if i try to get the accessable networks by the windows client (route print) i do not get the 192.168.90.0 network provided (the local network 172.10.10.0 is provided) . I added them manual in the Shrew Soft Client ....

Thanks for everybody to support me on this!

BR,
Matthias

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 19819
  • Karma: +1122/-8
    • View Profile
Re: IPSEC Client -> Site-to-Site VPN via PFsense
« Reply #1 on: February 17, 2017, 10:12:57 am »
You need to setup Phase 2 entries for the extra network, so:

On Mobile P1, you need a P2 for 192.168.90.0/24 and 172.10.10.0/24
On the Fortigate IPsec tunnel P1, you need a P2 to cover 10.10.10.0/24 <-> 192.168.90.0/24 (on both pfSense and the Fortigate!)

And you also have to pass that traffic in IPsec tab firewall rules
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline mrcola

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: IPSEC Client -> Site-to-Site VPN via PFsense
« Reply #2 on: February 20, 2017, 02:22:11 am »
You need to setup Phase 2 entries for the extra network, so:

On Mobile P1, you need a P2 for 192.168.90.0/24 and 172.10.10.0/24
On the Fortigate IPsec tunnel P1, you need a P2 to cover 10.10.10.0/24 <-> 192.168.90.0/24 (on both pfSense and the Fortigate!)

And you also have to pass that traffic in IPsec tab firewall rules

Hi Admin

I have got the similar setup

site to site IPsec VPN both running PFsense 2.3.2_p1 (192.168.50.0/24 and 192.168.70.0/24) and a mobile ipsec endpoint (192.168.71.0/24), my goal is to allow mobile ipsec users to access both sites.

Now I have got the following setup

Mobile P2 192.168.70.0/24 and 192.168.50.0/24
Site to Site P2 192.168.70.0/23 (cover both 0.70 and 0.71) <->192.168.50.0/24

So far the user which has 192.168.71.1 (Android native IPsec client) can access 192.168.70.0/24 but not the 192.168.50.0/24. The firewall rules in IPsec are set to allow all.

Here is the tracert from a Win box in the 192.168.50.0/24 subnet (192.168.50.2 is the pfsense Lan IP)

tracert 192.168.70.2

Tracing route to 192.168.70.2 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.50.2
  2     7 ms     7 ms     6 ms  192.168.70.2


tracert 192.168.71.1

Tracing route to 192.168.71.1 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.50.2
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4  ^C

In the firewall states I can see some traffics so I guess PFsense doesn't know where to send traffic back

Please advise

Thanks
« Last Edit: February 20, 2017, 02:32:57 am by mrcola »

Offline mdonner

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: IPSEC Client -> Site-to-Site VPN via PFsense
« Reply #3 on: February 27, 2017, 10:56:44 am »
Hey all,

Exactly the same here, adding a second PH2 network isn't fixing my issue. Either the mobile client don't know how to reach the other IPSEC-Destination. On Fortigate you can define static routes and each ipsec-connection can be added as "source device". Unfortunately this is working not the same on pfsene. What i'm missing is a way to tell a pfsense static route to use a IPSEC connection as "gateway". If anybody can shed some light into this issue i would really appreciate.

BR,
Matthias

Offline mrcola

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: IPSEC Client -> Site-to-Site VPN via PFsense
« Reply #4 on: February 27, 2017, 05:01:42 pm »
Hi

Figured out a workaround myself.

On mobile P1 add a P2 to route everything 0.0.0.0/0. And I am using Android built in VPN client which can define what range of IPs to go through with VPN

site to site P2s are needed as suggested

Thanks