It's planned to have a helper deamon for 1.1 to reconfigure tunnels with dynamic endpoints at both sides when IPs change. However this will only be working if both tunnel ends are terminated by a pfSense (and it's something that is not even started yet, just soomething that was already discussed). For the routing part I agree that it would be much nicer to just work with static routes and if there is any way to implement this it would make life a lot easier.
Holger -----Original Message----- From: Jeff Quinonez [mailto:[EMAIL PROTECTED] Sent: Thursday, March 30, 2006 1:41 AM To: [email protected] Subject: Re: [pfSense Support] Static routes over IPSec I had to do the exact same thing. I have a pfsense box at home and a test pfsense box at work. (great work btw folks, love pfsense) I have 6 different subnets and had to build a tunnel for each one. I wish there was a way to build one tunnel and then just add static routes to the various subnets. (i don't have static ip's at home so every once in a while i need to change the ip on the tunnels) I worked with Checkpoint FW-1 a few years ago (on Solaris) and had to add the routes to various subnets at the Solaris command line and then add the routes via the gui. Actually had a script that would add the routes in the event of a reboot of the firewall. I wonder if pfsense could work this way? On 3/28/06, Holger Bauer <[EMAIL PROTECTED]> wrote: I'm not sure if pfSense can route over IPSEC (haven't tested that) but in case it can't do that here is another way that will work (I have m0n0s running with that kind of setup): You have to create 2 parallel tunnels. The problem is that both tunnels are terminated between the same public IPs. To get the traffic of both tunnels seperated you must use a different identifier for each tunnel. Create preshared keys at both ends for both tunnels and use the unique identifiers for both tunnels. Otherwise the traffic will get mixed up. Tunneldefinitions: local subnet 192.168.1.x <-> remote subnet 192.168.19.x, identifier "to.lan.local" secret "secret1" local subnet 192.168.1.x <-> remote subnet 10.0.0.x, identifier " to.dmz.local" secret "secret2" I even use this kind of setup to route from location1 to location3 via location2 with no direct link between location1 and location3. You can combine this with static routes at the pfSense where the traffic leaves the tunnel if needed btw to reach subnets via another gateway. Holger > -----Original Message----- > From: Jason J Ellingson [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 29, 2006 12:09 AM > To: [email protected] > Subject: [pfSense Support] Static routes over IPSec > > > I guess I'm encountering a mental block on how to do this... > Can anyone > help? > > I have two pfSense boxes in different locations (and obviously on the > Internet). > > I have a LAN to LAN IPSec between them. > 192.168.1.x <-> 192.168.19.x > > The far pfSense box also has a DMZ/OPT1 network: > 10.0.0.x > > Is there a way to have traffic from my 192.168.1.x network go > over the IPSec > tunnel to talk to the 10.0.0.x network? > > Perhaps I need to look at establishing a second IPSec tunnel? > 192.168.1.x <-> 10.0.0.x > > I have tried setting up a static route on the local box > (192.168.1.x) that > points 10.0.0.x traffic to gateway of 192.168.1.1 (remote LAN > gateway), but > that didn't seem to work. > > Thanks all! > > - Jason > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > ____________ Virus checked by G DATA AntiVirusKit --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- "got root?" ____________ Virus checked by G DATA AntiVirusKit --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
