Re: [pfSense Support] Static routes over IPSec

Wed, 29 Mar 2006 15:40:37 -0800

I had to do the exact same thing. I have a pfsense box at home and a test pfsense box at work. (great work btw folks, love pfsense) I have 6 different subnets and had to build a tunnel for each one. I wish there was a way to build one tunnel and then just add static routes to the various subnets. (i don't have static ip's at home so every once in a while i need to change the ip on the tunnels)

I worked with Checkpoint FW-1 a few years ago (on Solaris) and had to add the routes to various subnets at the Solaris command line and then add the routes via the gui. Actually had a script that would add the routes in the event of a reboot of the firewall. I wonder if pfsense could work this way?

On 3/28/06, Holger Bauer <[EMAIL PROTECTED]> wrote:
I'm not sure if pfSense can route over IPSEC (haven't tested that) but in case it can't do that here is another way that will work (I have m0n0s running with that kind of setup):

You have to create 2 parallel tunnels.

The problem is that both tunnels are terminated between the same public IPs. To get the traffic of both tunnels seperated you must use a different identifier for each tunnel. Create preshared keys at both ends for both tunnels and use the unique identifiers for both tunnels. Otherwise the traffic will get mixed up.

Tunneldefinitions:
local subnet 192.168.1.x <-> remote subnet 192.168.19.x, identifier "to.lan.local" secret "secret1"
local subnet 192.168.1.x <-> remote subnet 10.0.0.x, identifier " to.dmz.local" secret "secret2"

I even use this kind of setup to route from location1 to location3 via location2 with no direct link between location1 and location3. You can combine this with static routes at the pfSense where the traffic leaves the tunnel if needed btw to reach subnets via another gateway.

Holger

> -----Original Message-----
> From: Jason J Ellingson [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, March 29, 2006 12:09 AM
> To: support@pfsense.com
> Subject: [pfSense Support] Static routes over IPSec
>
>
> I guess I'm encountering a mental block on how to do this...
> Can anyone
> help?
>
> I have two pfSense boxes in different locations (and obviously on the
> Internet).
>
> I have a LAN to LAN IPSec between them.
> 192.168.1.x <-> 192.168.19.x
>
> The far pfSense box also has a DMZ/OPT1 network:
> 10.0.0.x
>
> Is there a way to have traffic from my 192.168.1.x network go
> over the IPSec
> tunnel to talk to the 10.0.0.x network?
>
> Perhaps I need to look at establishing a second IPSec tunnel?
> 192.168.1.x <-> 10.0.0.x
>
> I have tried setting up a static route on the local box
> (192.168.1.x) that
> points 10.0.0.x traffic to gateway of 192.168.1.1 (remote LAN
> gateway), but
> that didn't seem to work.
>
> Thanks all!
>
> - Jason
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

____________
Virus checked by G DATA AntiVirusKit


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




--
"got root?"

Reply via email to