Discussion:
IPSEC VPN Multiple Subnets
Paul Peziol
2010-05-27 03:42:40 UTC
Permalink
I have come across where pfsense 2.0 can support multiple networks over
ipsec. Can I create a tunnel between pfsense 1.2.3rc1 and 2.0beta2.
I have a 192.168.20.0/24 network behind the 2.0 pfsense (Site A) and behind
the 1.2.3 I have 192.168.2.0/24 and 192.168.4.0/24 (Site B). Is it possible
create a tunnel between site A and site B where Site A can access both
networks on SiteB. I created the 2nd Phase2 policy in SiteA but that never
seems to come up. While the 192.168.2.0 networks connects.

Considering SiteB is a production environment I hesitate to upgrade to a
beta version right now. Site A is not as critical as its a home office
Thank you
Abdulrehman
2010-05-27 05:58:19 UTC
Permalink
Yes you can...Inface I have 3 different subnets on IPsec.
Post by Paul Peziol
I have come across where pfsense 2.0 can support multiple networks over
ipsec. Can I create a tunnel between pfsense 1.2.3rc1 and 2.0beta2.
I have a 192.168.20.0/24 network behind the 2.0 pfsense (Site A) and
behind the 1.2.3 I have 192.168.2.0/24 and 192.168.4.0/24 (Site B). Is it
possible create a tunnel between site A and site B where Site A can access
both networks on SiteB. I created the 2nd Phase2 policy in SiteA but that
never seems to come up. While the 192.168.2.0 networks connects.
Considering SiteB is a production environment I hesitate to upgrade to a
beta version right now. Site A is not as critical as its a home office
Thank you
--
Regards
Abdulrehman
Paul Peziol
2010-05-27 06:05:36 UTC
Permalink
How would I set that up.Do I need 2 separate tunnels created or can I use 1
tunnel to route both networks. I tried to setup both subnets in the 2.0
version to connect to the 1.2.3 (that has 2 subnets) and it would error
out.
Post by Abdulrehman
Yes you can...Inface I have 3 different subnets on IPsec.
Post by Paul Peziol
I have come across where pfsense 2.0 can support multiple networks over
ipsec. Can I create a tunnel between pfsense 1.2.3rc1 and 2.0beta2.
I have a 192.168.20.0/24 network behind the 2.0 pfsense (Site A) and
behind the 1.2.3 I have 192.168.2.0/24 and 192.168.4.0/24 (Site B). Is it
possible create a tunnel between site A and site B where Site A can access
both networks on SiteB. I created the 2nd Phase2 policy in SiteA but that
never seems to come up. While the 192.168.2.0 networks connects.
Considering SiteB is a production environment I hesitate to upgrade to a
beta version right now. Site A is not as critical as its a home office
Thank you
--
Regards
Abdulrehman
Paul Peziol
2010-05-27 06:13:44 UTC
Permalink
This is what I get on the 1.2.3 side: racoon: *[Unknown Gateway/Dynamic]*:
ERROR: no policy found: 192.168.20.0/24[0] 192.168.4.0/24[0] proto=any
dir=in
Post by Paul Peziol
How would I set that up.Do I need 2 separate tunnels created or can I use 1
tunnel to route both networks. I tried to setup both subnets in the 2.0
version to connect to the 1.2.3 (that has 2 subnets) and it would error
out.
Post by Abdulrehman
Yes you can...Inface I have 3 different subnets on IPsec.
Post by Paul Peziol
I have come across where pfsense 2.0 can support multiple networks over
ipsec. Can I create a tunnel between pfsense 1.2.3rc1 and 2.0beta2.
I have a 192.168.20.0/24 network behind the 2.0 pfsense (Site A) and
behind the 1.2.3 I have 192.168.2.0/24 and 192.168.4.0/24 (Site B). Is
it possible create a tunnel between site A and site B where Site A can
access both networks on SiteB. I created the 2nd Phase2 policy in SiteA but
that never seems to come up. While the 192.168.2.0 networks connects.
Considering SiteB is a production environment I hesitate to upgrade to a
beta version right now. Site A is not as critical as its a home office
Thank you
--
Regards
Abdulrehman
Abdulrehman
2010-05-27 06:23:22 UTC
Permalink
Yes you will setup seperate tunnel for each subnet..I also get this error at
times but it is fine after restarting racoon....
ERROR: no policy found: 192.168.20.0/24[0] <http://192.168.20.0/24%5B0%5D>
192.168.4.0/24[0] <http://192.168.4.0/24%5B0%5D> proto=any dir=in
Post by Paul Peziol
How would I set that up.Do I need 2 separate tunnels created or can I use
1 tunnel to route both networks. I tried to setup both subnets in the 2.0
version to connect to the 1.2.3 (that has 2 subnets) and it would error
out.
Post by Abdulrehman
Yes you can...Inface I have 3 different subnets on IPsec.
Post by Paul Peziol
I have come across where pfsense 2.0 can support multiple networks over
ipsec. Can I create a tunnel between pfsense 1.2.3rc1 and 2.0beta2.
I have a 192.168.20.0/24 network behind the 2.0 pfsense (Site A) and
behind the 1.2.3 I have 192.168.2.0/24 and 192.168.4.0/24 (Site B). Is
it possible create a tunnel between site A and site B where Site A can
access both networks on SiteB. I created the 2nd Phase2 policy in SiteA but
that never seems to come up. While the 192.168.2.0 networks connects.
Considering SiteB is a production environment I hesitate to upgrade to a
beta version right now. Site A is not as critical as its a home office
Thank you
--
Regards
Abdulrehman
--
Regards
Abdulrehman
Paul Peziol
2010-05-27 06:48:48 UTC
Permalink
Well, I'm making progress. In the 2.0 I added a 2nd phase 2 for the 2nd
network. In the 1.2.3 side I added a 2nd identical tunnel. When I goto to
the status page on the 1.2.3 I get green arrows on both. On the 2.0beta side
I get a green arrow for the original 192.168.2.0 network but a yellow X on
the 192.168.4.0 network.
Post by Abdulrehman
Yes you will setup seperate tunnel for each subnet..I also get this error
at times but it is fine after restarting racoon....
ERROR: no policy found: 192.168.20.0/24[0]<http://192.168.20.0/24%5B0%5D>
192.168.4.0/24[0] <http://192.168.4.0/24%5B0%5D> proto=any dir=in
Post by Paul Peziol
How would I set that up.Do I need 2 separate tunnels created or can I use
1 tunnel to route both networks. I tried to setup both subnets in the 2.0
version to connect to the 1.2.3 (that has 2 subnets) and it would error
out.
Post by Abdulrehman
Yes you can...Inface I have 3 different subnets on IPsec.
Post by Paul Peziol
I have come across where pfsense 2.0 can support multiple networks over
ipsec. Can I create a tunnel between pfsense 1.2.3rc1 and 2.0beta2.
I have a 192.168.20.0/24 network behind the 2.0 pfsense (Site A) and
behind the 1.2.3 I have 192.168.2.0/24 and 192.168.4.0/24 (Site B). Is
it possible create a tunnel between site A and site B where Site A can
access both networks on SiteB. I created the 2nd Phase2 policy in SiteA but
that never seems to come up. While the 192.168.2.0 networks connects.
Considering SiteB is a production environment I hesitate to upgrade to
a beta version right now. Site A is not as critical as its a home office
Thank you
--
Regards
Abdulrehman
--
Regards
Abdulrehman
Abdulrehman
2010-05-27 07:10:31 UTC
Permalink
What authentication mode are you using...is it Pre-Shared Key...?Well if it
is..then dont re-use the same key...Use different key for every tunnel.
Post by Paul Peziol
Well, I'm making progress. In the 2.0 I added a 2nd phase 2 for the 2nd
network. In the 1.2.3 side I added a 2nd identical tunnel. When I goto to
the status page on the 1.2.3 I get green arrows on both. On the 2.0beta side
I get a green arrow for the original 192.168.2.0 network but a yellow X on
the 192.168.4.0 network.
Post by Abdulrehman
Yes you will setup seperate tunnel for each subnet..I also get this error
at times but it is fine after restarting racoon....
Post by Paul Peziol
This is what I get on the 1.2.3 side: racoon: *[Unknown Gateway/Dynamic]
*: ERROR: no policy found: 192.168.20.0/24[0]<http://192.168.20.0/24%5B0%5D>
192.168.4.0/24[0] <http://192.168.4.0/24%5B0%5D> proto=any dir=in
Post by Paul Peziol
How would I set that up.Do I need 2 separate tunnels created or can I
use 1 tunnel to route both networks. I tried to setup both subnets in the
2.0 version to connect to the 1.2.3 (that has 2 subnets) and it would error
out.
Post by Abdulrehman
Yes you can...Inface I have 3 different subnets on IPsec.
Post by Paul Peziol
I have come across where pfsense 2.0 can support multiple networks
over ipsec. Can I create a tunnel between pfsense 1.2.3rc1 and 2.0beta2.
I have a 192.168.20.0/24 network behind the 2.0 pfsense (Site A) and
behind the 1.2.3 I have 192.168.2.0/24 and 192.168.4.0/24 (Site B).
Is it possible create a tunnel between site A and site B where Site A can
access both networks on SiteB. I created the 2nd Phase2 policy in SiteA but
that never seems to come up. While the 192.168.2.0 networks connects.
Considering SiteB is a production environment I hesitate to upgrade to
a beta version right now. Site A is not as critical as its a home office
Thank you
--
Regards
Abdulrehman
--
Regards
Abdulrehman
--
Regards
Abdulrehman
Veiko Kukk
2010-05-27 08:12:29 UTC
Permalink
Post by Abdulrehman
What authentication mode are you using...is it Pre-Shared Key...?Well if
it is..then dont re-use the same key...Use different key for every tunnel.
It will work with the same key, no need for different keys. I have ipsec
with three tunnels for three different subnets using the same key.
--
Veiko

---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe-***@public.gmane.org
For additional commands, e-mail: support-help-***@public.gmane.org

Commercial support available - https://portal.pfsense.org
Paul Peziol
2010-05-27 13:36:26 UTC
Permalink
It is PSK
Does it matter what encryption I use. Its using blowfish/sha1 right now to
minimize bandwidth for the tunnels themselves
Post by Veiko Kukk
Post by Abdulrehman
What authentication mode are you using...is it Pre-Shared Key...?Well if
it is..then dont re-use the same key...Use different key for every tunnel.
It will work with the same key, no need for different keys. I have ipsec
with three tunnels for three different subnets using the same key.
--
Veiko
---------------------------------------------------------------------
Commercial support available - https://portal.pfsense.org
Continue reading on narkive:
Loading...