On Fri, Dec 16, 2011 at 8:35 AM, Jim Pingle <li...@pingle.org> wrote:
> On 12/16/2011 8:06 AM, Ståle Johnsen wrote: > > 2011/12/16 Jim Pingle <li...@pingle.org <mailto:li...@pingle.org>> > > On 12/16/2011 5:43 AM, Ståle Johnsen wrote: > > > We have an ipsec between pfsense 2.0 and a cisco system. The ipsec > has > > > the following addresses: /24 subnet (pfsense) <-> /32 single > address > > > (cisco). This is working fine but now the cisco side which is an > > > customer asks us to add an another single address on their side > > > (different subnet) to the "encryption domain". So from our /24 > > subnet we > > > should be able to reach single address A and single address B over > the > > > tunnel. I can't find anything regarding this on pfsense. Is > encryption > > > domain Cisco only? Is this possible without adding another tunnel? > > > > Just add a second phase 2 entry, this one between your /24 and their > > second /32. Easy as that. > > > > So this means that we get two tunnels, right? I don't think that is what > > the cisco side has, hence the "encryption domain". Your solution > > requires another tunnel on their side also doesn't it? > > No, one phase 1 with two phase 2's is exactly what their side has in > this situation. It's only supported on pfSense 2.0 and newer. > > It's a single tunnel that has multiple sets of networks allowed to use > the tunnel. > > Jim > _______________________________________________ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list > Jim hit the nail on the head. "encryption domain" is just network security engineer vernacular for "the groups of hosts/networks allowed to talk on a given tunnel". I think only Checkpoint uses the term officially (since they supernet everything into one bidirectional flow if I remember right), but it's a common term that people throw around with VPNs since different vendors use different methods to classify what traffic is going to go through a given tunnel on their devices. In your case you're right, you would get two tunnels. sort of. it's a little funky since the term "tunnel" describes a number of things that are also refered to as "tunnels". so right now you essentially have this as your encryption domain for this tunnel: x.x.x.x/24 <---> y.y.y.y/32 This is a simple case. your gear brings up a single phase 1 Security Association (or commonly "tunnel") to negotiate phase 2, then a single phase 2 Security Association (also commonly "tunnel") to pass traffic. In the next case you'll have this configured as your "encryption domain" for this tunnel: x.x.x.x/24 <----> y.y.y.y/32 x.x.x.x/24 <------> z.z.z.z/32 In this case you get a single phase 1 SA, and two phase 2 SAs. So you have a tunnel that's configured to have two tunnels riding over a tunnel. The term "tunnel" is just used for pretty much anything VPN related by most people, and it ends up getting confusing. The way I and most of my technical peers tend to refer to it all is like this: We only use tunnel as a "meta" term. "the tunnel to such and such customer". it's used in a non-technical sense, just meaning "that thar virtual connection". Phase 1 SAs and Phase 2 SAs are refered to exactly like that. Because it tends to be the most correct term, and avoids confusion when talking about "tunnels". So to wrap all my rambling up, your "tunnel" is the whole of your connection to the other side, whatever ends up going over it. the "encryption domain" is the set of networks that are allowed to talk to eachother, however your chosen software vendor chooses to classify the traffic (typically it's listed as one network/host to one other network/host at a time). Each line in your encryption domain defines one Phase 2 SA in your "tunnel". I really hope that's clear. I do so much with this stuff every day that I sometimes lose scope of how to describe it. -Ian
_______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
