I have two networks with the 10.0.0.0/8 subnet I'm trying to connect via IPSec tunnels. I have the phase 1 configurations working but am a bit stuck on the phase 2 configurations. Each firewall used is running pfSense. There are two primary cases I'd like to configure these for:
Case 1:
A /32 virtual NAT address exposing a network to another network.
Network A:
Firewall 0: 10.1.1.1/8
Subnet to NAT: 10.9.9.0/24
Network B:
Firewall 1: 10.1.1.1/8 (passthrough to Firewall 2)
Firewall 2: 10.27.1.1/16 (manages Network B IPSec tunnel)
Exposed NAT address on Network B: 10.27.254.9/32
Such that Network A is exposed to Network B more or less like plugging a firewall into the WAN address 10.27.254.9/32 containing the LAN subnet 10.9.9.0/24 with NAT rules managed by Firewall 0.
Case 2:
A /24 subnet to access two networks each way in the following manner.
Network A:
Firewall 0: 10.1.1.1/8
Subnet to Translate: 10.31.1.0/24
Translation on Network B: 10.254.31.0/24
Network B:
Firewall 1: 10.1.1.1/8 (passthrough to Firewall 2)
Firewall 2: 10.58.1.1/16 (manages Network B IPSec tunnel)
Subnet to Translate: 10.58.1.0/24
Translation on Network A: 10.254.58.0/24
Such that from Network A I could ping 10.254.58.72 and reach 10.58.1.72 on Network B and similarly ping 10.254.31.81 from Network B and reach 10.31.1.81 on Network A. If this isn't possible due to the /16 limitation on Firewall 2 I could move the IPSec phase 1 and phase 2 configurations for this one to Firewall 1 (though the preference would be to have the 10.254.31.0/24 translated subnet be visible only from within the 10.58.0.0/16 subnet on Network B.
Any help would be appreciated, I've been racking my brain against these phase 2 IPSec configurations for some time now.
