First of all, i'm originally a software engineer with some network knowledge so no network specialist. At my current job i'm also responsable for the network. I say this because it may be a bit stupid of obvious question for the real network experts under us.
Our main office network is "managed" by pfSense which also works as IPSec server. As we place hardware on customer sites what we also maintain for them, we place an own router in their network. This "IPSec" router initiates an IPSec network to our office and all our hardware is placed behind it. The (pfSense) firewall rules are so configured that:
- its possible to access devices on the customer site (IPsec subnet) from our office
- its not possible to access our office from the customer sites
We have an sub office which is also connected with our main office via IPSec. The difference between this connection and the customer connections is that the firewall allows to access devices in our office from that specific IPSec connection. So far, everything works as we want to.
To make it a bit more concrete and visual i refer to the topology diagram bellow.
My question covers 2 scenario's we want to realize. Possibly the solution is the same for both scenario's but i'm not sure about this.
- We want to be able to maintain customer devices from our sub office
As described above, its possible to access all the devices from our sub office but its not possible to access customer sites from there. We want to make this possible by routing the traffic trough our main office to the customer so we don't need to configure an extra IPSec connection for each sub office in the customers IPSec router.
- We want allow access from a specific customer location to another specific customer location
Some customer's have 2 site's and want to be able to access the one from the other. This situation is similar to scenario 1 as its actually access an IPSec site from another one with that difference that we have no full control over the customers network (only our part inside it). Maybe this makes it a different scenario?
I have no idea where to start with this as routing from the main office to customer site's works (so route's exist at pfSense). Its also possible to access our main office network from our sub office without extra configuration (so these route's also seems to exist). Can someone explain me how to configure the wished situation like described above? or what part i'm missing in my current configuration to make it work?
IPSec configuration (this is similar for each site except for the IP's and the PSK off course)
<phase1>
<ikeid>5</ikeid>
<iketype>ikev2</iketype>
<interface>wan</interface>
<remote-gateway>domain.no-ip.org</remote-gateway>
<protocol>inet</protocol>
<myid_type>myaddress</myid_type>
<myid_data></myid_data>
<peerid_type>fqdn</peerid_type>
<peerid_data>domain.no-ip.org</peerid_data>
<encryption>
<item>
<encryption-algorithm>
<name>aes</name>
<keylen>128</keylen>
</encryption-algorithm>
<hash-algorithm>sha256</hash-algorithm>
<dhgroup>14</dhgroup>
</item>
</encryption>
<lifetime>28800</lifetime>
<pre-shared-key>Some_Key_Here</pre-shared-key>
<private-key></private-key>
<certref></certref>
<caref></caref>
<authentication_method>pre_shared_key</authentication_method>
<descr><![CDATA[Some IP Sec connection]]></descr>
<nat_traversal>on</nat_traversal>
<mobike>off</mobike>
<closeaction></closeaction>
<margintime></margintime>
<responderonly></responderonly>
</phase1>
<phase2>
<ikeid>5</ikeid>
<uniqid>5efc4de77ba1a</uniqid>
<mode>tunnel</mode>
<reqid>1</reqid>
<localid>
<type>network</type>
<address>10.128.0.0</address>
<netbits>16</netbits>
</localid>
<remoteid>
<type>network</type>
<address>10.130.1.0</address>
<netbits>24</netbits>
</remoteid>
<protocol>esp</protocol>
<encryption-algorithm-option>
<name>aes</name>
<keylen>128</keylen>
</encryption-algorithm-option>
<encryption-algorithm-option>
<name>aes128gcm</name>
<keylen>128</keylen>
</encryption-algorithm-option>
<hash-algorithm-option>hmac_sha256</hash-algorithm-option>
<pfsgroup>14</pfsgroup>
<lifetime>3600</lifetime>
<pinghost>10.130.1.1</pinghost>
<descr><![CDATA[axn_int to external]]></descr>
</phase2>
Wan firewall rules: Firewall rules for our desktop network at our main office (10.128.10.0/24) IPSec rules
I think i have mentioned and added all the info whats needed to be able to answer this question, if not, please leave a comment and i will update the question!
I appreciate any help or suggestion, thanks in advance!
0 Answers