0

I have three sites connected with two IPSec tunnels:

Site A - 192.168.10.0/24
        |
    IPSec tunnel
        |
Site B - 192.168.0.0/24
        |
    IPSec tunnel
        |
Site C - 10.0.0.0/8

This works great, and I can reach Site A and Site C from Site B. What I need is to reach Site C from Site A. Is that possible with my current setup?

pgb
  • 445
  • 1
  • 6
  • 18

1 Answers1

1

Assuming that you don't want to negotiate an additional tunnel between Site A and Site C directly, you can do this simply by negotiating the appropriate IPsec policies on the two existing connections (and, of course, allowing forwarding of that traffic on Site B).

Between Site A and B you negotiate 10.0.0.0/8 on Site B and between Site B and Site C you negotiate 192.168.10.0/24 on Site B. This enables Site A and Site C to send traffic to those additional subnets to Site B, which then also can forward that traffic appropriately (it needs forward policies that allow traffic from 192.168.10.0/24 to 10.0.0.0/8 and vice-versa).

If you use IKEv2 you can simply add the additional subnets to Site B's local traffic selector for each of the two connections. And similarly on Site A and Site C for their remote traffic selectors, or you may configure 0.0.0.0/0 there to let Site B do the narrowing to the two subnets.

ecdsa
  • 3,800
  • 12
  • 26
  • Sorry for the silly follow up... By "negotiate `10.0.0.8`", you mean adding another Phase 2? – pgb Mar 29 '19 at 14:09
  • No, adding another subnet to the traffic selector of the existing Phase 2/CHILD_SA. (Although, you can obviously add another CHILD_SA, but it's not really necessary.) – ecdsa Mar 29 '19 at 15:07
  • follow up question... I can't add more than one subnet to the traffic selector in the Phase 2... If I add another Phase 2 on Site B, do I need to make changes in Site C (which I don't control)? – pgb Apr 05 '19 at 19:25
  • If Site C has the two subnets already in its config with Site B, then no. If not, you either need to add it or add a separate CHILD_SA config too. As I wrote in my answer, with IKEv2 you could also try proposing `0.0.0.0/0` as remote subnet, which Site C can then narrow to the two actual subnets (but it could also redirect any other subnet/address, so be aware of that if you don't control Site C). – ecdsa Apr 08 '19 at 08:03