Right,
That is what I figured, someone had mentioned that as an option and it
didn't sound like that was the direction you were going. Thanks for that
let me throw some cycles at this today and get back with you.
-W
-
Wade Blackwell
"Integrity is often more painful and always more profitable than
perception management"
On Wed, 2007-12-19 at 09:53 +0100, Tim Korves wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Wade,
>
> I'm not using static routes, just allowing the HQ's pfSense to forward
> all traffic on the IPSec interfaces... Meshing would be too complex due
> to dynamic IPs at each branch.
>
> Tim
>
> Wade Blackwell schrieb:
> > Good morning Tim,
> > So to be clear (I read some of the other replies) you desire a hub and
> > spoke, not a full mesh, because a full mesh with very specific prefixes
> > in the IPsec config resolves the routing issues. So hub-n-spoke deploy
> > with HQ as hub? Are you doing any static routing with regard to the
> > tunnels or just allowing the kernel to route over the ENC0 interface as
> > directly connected? Thanks Tim.
> >
> > -W
> > -
> > Wade Blackwell
> >
> > "Integrity is often more painful and always more profitable than
> > perception management"
> >
> >
> > On Tue, 2007-12-18 at 08:19 +0100, Tim Korves wrote:
> > Hey Wade, hey all,
> >
> > Subnets are:
> >
> > HQ: 212.14.xx.64/26
> > Branch 1: 10.3.3.0/28
> > Branch 2: 10.3.3.16/28
> > Branch 3: 10.3.3.32/28
> >
> > E.g. at Branch 1 I've added a static route for 10.3.3.0/28 via
> > 212.14.xx.65 . At the HQ's pfSense, all traffic from and to IPSec is
> > permitted by only one rule.
> >
> > As others said, I should mesh all branches together, wouldn't be
> > possible so easy. Only the HQ has a static IP on it's WAN interface, all
> > the Branches don't have a static IP on WAN.
> >
> > Regards, Tim
> >
> > Wade Blackwell schrieb:
> >>>> Hey Tim Good evening,
> >>>> Can you add in some hypothetical subnetting with prefixes that
> >>>> match the real thing? I know there is wierdness with how IPsec was
> >>>> shoved into the PF stack but if the source/dest IPsec proxies are
> >>>> correct the hub IPsec box should re-encrypt and send seeing the
> >>>> destination networks as directly connected through the ENC0 interface
> >>>> (PF team jump in if I am mis-speaking).
> >>>>
> >>>> Wade B
> >>>>
> >>>> On Dec 16, 2007 6:14 AM, Tim Korves <[EMAIL PROTECTED]> wrote:
> >>>> Hi there,
> >>>>
> >>>> I'm facing problems while routing traffic trough an IPSec tunnel.
> >>>>
> >>>> This is my configuration:
> >>>>
> >>>> Branch 1 ---- pfSense IPSec server (HQ) ---- Branch 2
> >>>> |
> >>>> |
> >>>> Branch 3
> >>>>
> >>>> All branches are running pfsense. All branches are able to "talk" to the
> >>>> HQ. But the communication between the branches is not possible. I
> >>>> created static routes on each branch pfsense which point to the other
> >>>> branches' subnet via the HQ. But instead of using the tunnel to route
> >>>> the packets, the branch routers trying to use their PPPoE connection
> >>>> which fails on their ISPs first router (what a wonder ;-))... Anyone has
> >>>> an idea how to realize this? Firewall rules permit every traffic via the
> >>>> IPSec tunnels. Nothing's blocked.
> >>>>
> >>>> Regards, Tim
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >>>>>
> >>
> - ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> >>
>
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFHaNwRB5sXJ5cmuvMRAgQkAJ4x5Eq//pjammo7iDFfQVEzBD+ZrQCgnmWV
> aMZsgNjg3lyIzS798Clbb1k=
> =qiqR
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
