pfSense Gold Subscription

Author Topic: Adding multiple subnets to VPN tunnels  (Read 8999 times)

0 Members and 1 Guest are viewing this topic.

Offline master_fungul

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Adding multiple subnets to VPN tunnels
« on: January 16, 2007, 11:35:55 pm »
I'm trying to add multiple subnets to the subnet rules of a VPN tunnel, but it seems as though you can only add one local or one remote subnet to each VPN tunnel. Is there a way this can be done?

For example I have 2 local networks 192.168.1.0/24 and 172.16.1.0/24 which need to connect to a remote subnet 10.1.1.0/24. How could this be done of pfsense, similar to how you can add multiple access lists with Cisco or Checkpoint rules?

Thanks

Offline hoba

  • Administrator
  • Hero Member
  • *****
  • Posts: 5837
  • Karma: +3/-0
  • What was the problem to this solution again?
    • View Profile
    • pfSense
Re: Adding multiple subnets to VPN tunnels
« Reply #1 on: January 17, 2007, 03:48:49 am »
You either have to sum up subnets (like 192.168.1.0/24 + 192.168.199.0/24 = 192.168.0.0/16) or build parallel tunnels. If using parallel tunnels between the same public endpoints.  Each tunnel has to use unique identifiers if you do it this way.

Adding different subnets to the same tunnel is not supported atm.

Offline master_fungul

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Adding multiple subnets to VPN tunnels
« Reply #2 on: January 17, 2007, 05:02:12 pm »
Thanks for the reply.

Do you know when and if this will become a feature of pfSense? ???

Also will using parallel tunnels mean that we have to create multiple tunnels at the other end if we have a Cisco/CheckPoint device there. Have you had any experiences in this?

Thanks again.
 

Offline hoba

  • Administrator
  • Hero Member
  • *****
  • Posts: 5837
  • Karma: +3/-0
  • What was the problem to this solution again?
    • View Profile
    • pfSense
Re: Adding multiple subnets to VPN tunnels
« Reply #3 on: January 17, 2007, 05:15:20 pm »
I think nobody is working on multiple subnets in one tunnel atm.

Only used the parallel tunnel attempt between pfSense systems yet. Don't know how well or if this will work with other systems.

Offline rlai000

  • Jr. Member
  • **
  • Posts: 66
  • Karma: +0/-0
    • View Profile
Re: Adding multiple subnets to VPN tunnels
« Reply #4 on: February 23, 2007, 01:35:04 am »
I've successful parallel tunnel to SonicWall 1260.

Offline master_fungul

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Adding multiple subnets to VPN tunnels
« Reply #5 on: February 25, 2007, 05:22:28 pm »
Since posting this I have test parallel tunnels between pfsense machines, between pfsense and cisco pix, and between pfsense and checkpoint.

It seems to work fine, but my only concern is how the pfsense box will work with heaps of parallel tunnels (terminating to different devices) for multiple VPN tunnels. Not sure if anyone has tested this, but would be nice to get some feedback on it.
 

Offline hoba

  • Administrator
  • Hero Member
  • *****
  • Posts: 5837
  • Karma: +3/-0
  • What was the problem to this solution again?
    • View Profile
    • pfSense
Re: Adding multiple subnets to VPN tunnels
« Reply #6 on: February 25, 2007, 05:27:53 pm »
I have a pfsense acting as concentartor that runs tunnels to 13 sublocations and additional to that 2x2 parallel tunnels to datacenters. The way it is setup traffic between sublocations even gets routed through the concentrator. No problems with that setup. The sublocations run pfSense as well, the devices at the datacenters are unknown as they are not managed by me but I doubt that these are pfSense as well  ;)
« Last Edit: February 25, 2007, 05:29:41 pm by hoba »

Offline master_fungul

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Adding multiple subnets to VPN tunnels
« Reply #7 on: February 25, 2007, 05:55:42 pm »
OK that sounds good. We are looking at moving all our VPN tunnels from an existing checkpoint firewall to pfsense infrastructure. We've currently got over 30 VPN tunnels to customer sites, and most of these will have parallel tunnels, but sounds as though you have a similar setup.

We are looking at using a HP DL360 G4 (3.4GHz CPU, 2GB RAM) as the pfsense platform. I'm not too sure what the loading is like with heaps of tunnels running at once (plus all the traffic running through them). Would this run quite nicely, or do we need more power?

Offline hoba

  • Administrator
  • Hero Member
  • *****
  • Posts: 5837
  • Karma: +3/-0
  • What was the problem to this solution again?
    • View Profile
    • pfSense
Re: Adding multiple subnets to VPN tunnels
« Reply #8 on: February 25, 2007, 06:07:19 pm »
Depends on the throughput you need. What's your max wan bandwidth?

Offline master_fungul

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Adding multiple subnets to VPN tunnels
« Reply #9 on: February 25, 2007, 08:23:38 pm »
We have a pretty big WAN connection from our datacentre (100 Mbit), and the internal network runs on gigabit. I guess I'm just looking at load on the server itself, but think that it should run happily.

Thanks for your help. :)

Offline hoba

  • Administrator
  • Hero Member
  • *****
  • Posts: 5837
  • Karma: +3/-0
  • What was the problem to this solution again?
    • View Profile
    • pfSense
Re: Adding multiple subnets to VPN tunnels
« Reply #10 on: February 25, 2007, 09:22:27 pm »
There is nothing like real life testing but I have a feeling that this machine should do the job.