0

I need some help to shed me some lights over an IPsec tunneling. Here I will explain on my current setup.

Site A <-------IPSEC------> Site B (HUB) <------IPSEC------> Site C 10.1.1.1/24 10.2.2.1/24 10.3.3.1/24

Tunneling from Site A to Site B & Site B to Site C are working fine. However Site A is not able to reach Site C directly and vice versa.

On Site A the phase 2 entry: Local: LAN Subnet Nat / Binat: None Remote: Network (10.2.2.1/24)

On Site C the phase 2 entry: Local: LAN Subnet Nat / Binat: None Remote: Network (10.2.2.1/24)

On Site B there are 2 IPSec Tunnels:

  1. Site A Phase 2 entry: Local: LAN Subnet Nat: None Remote: Network (10.1.1.1/24)

  2. Site C Phase 2 entry: Local: LAN Subnet Nat: None Remote: Networ (10.3.3.1/24)

Note: FYI we do not have the access to Site C. Therefore any adjustment only could be made on Site A and Site B.

Kindly let me know if you may require any other information. Thank you in advance.

heezam
  • 1
  • 1
  • `we do not have the access to Site C` - then it can't be done. The "Remote" network has to contain ALL remote networks (A and B), not just one (B). And that is true for Site A also. Not to mention any number of configurations needed at Site B to make sure packets will route. – Appleoddity Sep 15 '17 at 03:55
  • 1
    Also, this is terribly inefficient. You should establish a tunnel between Site A and Site C, for a full mesh network. – Appleoddity Sep 15 '17 at 03:57
  • Dear Appleoddity, Thank you for your response. Is there any other method the same goal could be established rather than adding the phase 2 entries on both remote sites as per explained. FYI the network topology that we use to established is the line network. Whereby Site A <----> Site B <----> Site C – heezam Sep 15 '17 at 04:41

1 Answers1

1

Without access to Site C you have no way of directing traffic destined to Site A over the tunnel. It requires routing and SA changes at Site C.

Therefore the only solution is to do a double one-to-one NAT at Site B so that you "map" the IP address space of Site A into Site B, and the address space of Site C into Site B.

Let's give an example. Let's say Computer C at Site C wants to communicate with Computer A at Site A. Computer A has the IP address 10.1.1.10 and Computer C has the IP address 10.3.3.10. Site A ONLY knows about Site B IP addresses, and Site C ONLY knows about Site B addresses. So, you need a One-To-One NAT in both directions.

Visually this is what it looks like using example IPs from each network:

First, Computer C sends it's data to 10.2.2.10 instead of 10.1.1.10. Site B NATs the traffic and computer A sees the traffic coming from 10.2.2.11:

  • [10.3.3.10]->IPSEC->[10.2.2.10]SNAT/DNAT[10.2.2.11]->IPSEC->[10.1.1.10]

Second, Computer A sends return data to 10.2.2.11 and Site B NATs it so that 10.3.3.10 sees the traffic returning from 10.2.2.10:

  • [10.1.1.10]->IPSEC->[10.2.2.11]SNAT/DNAT[10.2.2.10]->IPSEC->[10.3.3.10]

Essentially, Site C thinks Computer A is at 10.2.2.10, and Site A thinks Computer C is at 10.2.2.11.

Appleoddity
  • 3,290
  • 2
  • 10
  • 27
  • Thank you for your input. FYI I am using Pfsense 2.3.4 for all 3 sites. Say that the above implementation perhaps may solve the puzzle that im having right now. However I am not sure how to implement the NAT over IPSec. Is that mean the NAT need to be done on the Site B tunnel on the phase 2 entry for both site A & B ? Apologies for the noob question. But I understand the explanation above but Im not sure how the above can be implemented in Pfsense environment. Thank you in advance. – heezam Sep 15 '17 at 08:51
  • I'm not familiar with pfSense but I'm sure it supports NAT rules. It is not a VPN/IPSec setting. They are NAT rules, completely independent of the IPSec tunnel. Once you use NAT to change the IP addresses the traffic will be directed down the tunnels because it matches the SA. It's not a simple concept by any means, expect to spend a few hours trying to figure this one out. – Appleoddity Sep 15 '17 at 15:39