Interesting .... I have tried opening up the IPsec policy to ANY <> ANY on both the pfS1/2 boxes. I still see the traceroute (ICMP) packets heading to INET from NET1 when tracing to a NET4 address.
Maybe a combo of IPsec policys and static routes??? Not quite sure, not having any luck in trying different combinations of configs. -- --> David L. Strout --> ENGINEERING SYSTEMS PLUS, LLC --> [EMAIL PROTECTED] -- -----Original Message----- From: Matthew Grooms [mailto:[EMAIL PROTECTED] Sent: Saturday, July 07, 2007 2:30 AM To: [email protected] Subject: Re: [pfSense Support] routing over IPsec tunnel David Strout wrote: > I have a need to setup the following topology at > several location connected via VPN tunnels. > > NET1--RTR1--NET2--pfS1--{INET}--pfS2--NET3--RTR2--NET4 > >--IPsec TUNNEL--< > > NET1=10.10.10.0/24 > NET2=192.168.100.0/24 > NET3=192.168.200.0/24 > NET4=10.10.20.0/24 > > I have a VPN tunnel nailed up between the two pfS > boxes w/ NET2 & NET3 on the "LAN" side. The pfS1 > box has a static route to NET1 via RTR1 and pfS2 > has a static route to NET4 via RTR2. The > "default" route on NET1 & NET4 is RTR1 & RTR2 > respectively and RTR1 has a next hop of pfS1 and > RTR2's next hop is pfS2. So now that you have > your mind wrapped around that .... here's the > problem. > > In order for NET1 hosts to reach NET3/4 hosts .... > "OR" NET4 hosts to reach NET1/2 hosts I am > assuming there has to be some static routes on the > pfS boxes. > > I added the following static route on pfS1: > 10.10.20.0/24{NET4} > 192.168.200.254{RTR2s NET3 > IP} > > I added the following static route on pfS2: > 10.10.10.0/24{NET1} > 192.168.100.254{RTR1s NET2 > IP} > > My assumption is that pfS1 knows about NET3 and > pfS2 knows about NET2 via the tunnel. The problem > is that when I traceroute from a host on NET1 to a > host on NET4 pfS1 forwards the packets to the > internet instead of sending them through the > tunnel (and vice-versa from NET4 to NET1 pfS2 > forwards the packets to the internet instead of > through the tunnel). I even added routes to the > RTR1/2 for the respective networks as well just to > test with and still no go. I must be missing > something simple here as I know that this can be > done as this is just packet routing. Maybe I > haven't had enough coffee yet. > > Any thoughts are greatly appreciated!!! > Static routes won't get you there. Think of IPSEC policies as an alternate end-to-end routing table that is used to determine what traffic will be tunneled to a distant peer. You will need to define separate policies to process traffic between multiple local and distant private networks. In other words, the following policies would be required for your setup ... NET1 <-> NET3 NET3 <-> NET1 NET1 <-> NET4 NET4 <-> NET1 NET2 <-> NET3 NET3 <-> NET2 NET2 <-> NET4 NET4 <-> NET2 -Matthew --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
