You need parallel tunnels for this to work. unfortunately routing across a
tunnel doesn't work (yet).
Example:
LAN1-------pfSense1-----(Internet)---------pfSense2-----------LAN2-------ROUTER------LAN3
You have to use different identifiers at both ends for the tunnels as both
tunnels are established between the same public IPs so the traffic of the
tunnels doesn't mix up.
At pfSense1:
create one preshared key like identifier "[EMAIL PROTECTED]" with secret "lan2"
(this is for the "unrouted" tunnel)
create one preshared key like identifier "[EMAIL PROTECTED]" with secret "lan3"
(this is for the "routing to next hop" tunnel)
At pfSense2 create the same keys.
Now create the tunnels:
The first tunnel is simple as it is for the directly connected LAN-segments at
both pfSenses (LAN1 and LAN2). Create it just like you usually would do but use
the "[EMAIL PROTECTED]" identifier and secret at both ends.
The second tunnel works like this:
At pfSense1 (only special settings mentioned that are different from the other
tunnel):
local subnet: lan subnet
remote subnet: LAN3/subnetmask
identifier and secret of "[EMAIL PROTECTED]"
At pfSense2:
local subnet: LAN3/subnetmask <---- !!!
remote subnet: LAN1/subnetmaks
identifier and secret of "[EMAIL PROTECTED]"
Additional to this you need a static route at pfSense2 pointing towards LAN3
via gateway ROUTER.
(and of course you need a route at ROUTER pointing to LAN1 via pfSense2)
Btw, it works the same way for this scenario without the route:
LAN1-------pfSense1------(VPN1)-----pfSense2------(VPN2)-------pfSense3----LAN3
Note that pfSense1 and pfSense3 don't have a direct tunnel but are "routing"
across pfSense2.
It's not a nice way to set it up but it is working (I'm using it at some
locations). However, this will only work if all nodes involved have static
public IPs as you won't be able to create the parallel tunnels if one node
joins as a mobile client.
Holger
-----Original Message-----
From: Wesley K. Joyce [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 04, 2006 10:51 AM
To: [email protected]
Subject: [pfSense Support] Site to Site VPN
This is probably basic stuff, but I have never setup a site to site VPN.
Is it possible to create a Site to Site VPN tunnel using pfsense and also
supports routing so that it will send packets through the VPN if the
destination is at the other site, or to the default gateway if the destination
is not at the other site?
____________
Virus checked by G DATA AntiVirusKit
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
