doh, great explanation Holger...I totally forgot about the security association issue ;)
--Bill On 6/7/06, Holger Bauer <[EMAIL PROTECTED]> wrote:
You need parallel tunnels for both connections to work (explanation why at the bottom): At remote Site 1: Tunnel1 to corefirewall: local subnet: LAN remote subnet: LAN subnet of Corefirewall Tunnel2 to corefirewall: local subnet: LAN remote subnet: LAN of Remote Site 2 (!) ----------------------------------------------- Same for remote Site 2: Tunnel1 to corefirewall: local subnet: LAN remote subnet: LAN subnet of Corefirewall Tunnel2 to corefirewall: local subnet: LAN remote subnet: LAN of Remote Site 1 (!) ------------------------------------------------ Corefirewall: Tunnel1 to remote Site 1: local subnet: LAN remote subnet: LAN subnet of remote Site 1 Tunnel2 to remote Site 1: local subnet: LAN of remote Site 2 (!) remote subnet: LAN of Remote Site 1 Tunnel 3 to remote Site 2: local subnet: LAN remote subnet: LAN subnet of remote Site 2 Tunnel4 to remote Site 2: local subnet: LAN of remote Site 1 (!) remote subnet: LAN of remote Site 2 ------------------------------------------------ To be able to divide the parallel Tunnels as they run between the same public IPs you need to work with unique Identifiers for the tunnels. Create a set of preshared keys for the tunnels. Btw, this doesn't work for a mobile Client setup as you can't set more than one local subnet at the static end. So why is it complicated like this? Traffic with destination to remote site 2 doesn't match the tunneldefinition you have between remote site 1 and corefirewall, so the traffic won't be encapsulated into the tunnel but goes out your real WAN. Static routes can't fix this. Will this change in an upcoming version of pfSense? I hope that but for version 1.0 it has to be done this way. Holger > -----Original Message----- > From: Bill Marquette [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 07, 2006 7:56 PM > To: support@pfsense.com > Subject: Re: [pfSense Support] IPSEC Firewall Rules > > > Not sure that we enable tunnel to tunnel routing. Not sure if there's > an option either, but that's what I'd look for. > > --Bill > > On 6/7/06, Brad Bendy <[EMAIL PROTECTED]> wrote: > > Hello, > > > > I have a setup as follows: > > Core-Firewall > > - - > > - - > > - - > > Remote-Site-1 Remote-Site-2 > > > > From the Core I can ping both remote sites, no problems. > But I cannot get > > traffic (ICMP or TCP/UDP) from remote-site-2 to remote-site-1. All 3 > > firewalls have the default LAN rules as allow all from LAN > subnet, to all > > others. On the Core firewall, I also added a rule where the > source is subnet > > is allowed to all other subnets. > > > > Any clue what causes this, something else that I am missing? > > > > Any help would be great. > > > > Thanks! > > Brad > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > ____________ Virus checked by G DATA AntiVirusKit --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]