So if I create the needed SA's, pfSense will create the routes for me? -----Original Message----- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Monday, October 22, 2007 6:48 AM To: [email protected] Subject: Re: [pfSense Support] Static Route for IPSEC
On 10/22/07, Michael Richardson <[EMAIL PROTECTED]> wrote: > Perhaps I'm seeing the issue incorrectly then. I have 2 pf boxes at > different locations. Box A is Class C (192.168.10.0/24), Box B is Class C > (192.168.1.0/24). A and B are connected via an IPSEC VPN tunnel, but Box B > also has a tunnel to another VPN terminator. I want to add a static route to > Box A to get traffic to the VPN terminator via B. > > Box A (pf Sense) = 192.168.10.0/24 > Connects to (using IPSEC): > Box C (pfSense) = 192.168.1.0/24 > Connects to (using IPSEC): > Router C (unknown brand, managed) = 192.168.3.0/24 > > I need to get traffic from the network behind Box A to Router C and I > thought a static route would be the way, but I don't believe the LAN or WAN > interface is appropriate because the use of IPSEC tunnels. Am I thinking > about this the wrong way? yes. Traffic can't cross the tunnel unless you have a security association for it. You'll need to add 192.168.3.0/24 to the A->B and B->A tunnels. You'll also need to add 192.168.10.0/24 to the B->C and C->B tunnels. To make this work in pfSense, just create another tunnel between A and B with the 192.168.1.0 subnet in it. --Bill --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
