Home / server / Questions / 960514
Accepted
pgb
Asked: 2019-03-29 11:43:17 +0800 CST

pfSense - IPSec through IPSec tunnel possible

  • 772

I have three sites connected with two IPSec tunnels:

Site A - 192.168.10.0/24
        |
    IPSec tunnel
        |
Site B - 192.168.0.0/24
        |
    IPSec tunnel
        |
Site C - 10.0.0.0/8

This works great, and I can reach Site A and Site C from Site B. What I need is to reach Site C from Site A. Is that possible with my current setup?

vpn

1 Answers

  1. Best Answer

    Assuming that you don't want to negotiate an additional tunnel between Site A and Site C directly, you can do this simply by negotiating the appropriate IPsec policies on the two existing connections (and, of course, allowing forwarding of that traffic on Site B).

    Between Site A and B you negotiate 10.0.0.0/8 on Site B and between Site B and Site C you negotiate 192.168.10.0/24 on Site B. This enables Site A and Site C to send traffic to those additional subnets to Site B, which then also can forward that traffic appropriately (it needs forward policies that allow traffic from 192.168.10.0/24 to 10.0.0.0/8 and vice-versa).

    If you use IKEv2 you can simply add the additional subnets to Site B's local traffic selector for each of the two connections. And similarly on Site A and Site C for their remote traffic selectors, or you may configure 0.0.0.0/0 there to let Site B do the narrowing to the two subnets.

    • 1