Blue on Office2 to Green on Office1 with IPSec


i’ve have two Offices with IpFire, both IpFire’s connected with IPsec. All works fine without any issues on Green.

My Issue: When a device is connected on Blue on Office2 i could not reach a device on Green in Office1.

Think a solutuon could be IPSec N2N Blue to VPN connectivity but i don’t know what handle the two entrys.

What have i todo? Or is there an other way?

Thanks for help.
Best Regards


Red > Internet, Green > Internal, Blue > WiFi

Naive question, what happens if in the Remote Subnet setting of Office1 you add, after the green subnet of Office2, a comma followed by the blue subnet of Office2 as well?

I tryed this before but didn’t work:

office1 lan
office1 wlan

office2 lan
office2 wlan

in/on remote subnet (entferntes subnetz) ip from office2 and ip blue,

local subnet (lokales netzwerk) ip from office2 and ip blue,

Again, naive question. To access the green network from the blue, we need a pinhole in the firewall. Is it possible that we need one as well for the blue network of the other side of the tunnel?

Both subnets have to be included in the IPSEC configuration for a computer in office1 to access both green and blue at office2. These should be listed, one subnet per line, in the configuration. Pin holes from blue to green are for local access. Adding to IPSEC should grant direct access to both subnets.

Office2 needs to grant IPSEC subnet access from office1 to
office2 lan
office2 wlan

1 Like

@disturbeddragon could you post a screenshot or point the way?

tryed it but it wouldn’t work. office2 blue to green no problem. also office2 green to office1 green no problem. but blue office2 to green office1 would not work.

I unfortunately do not have my one IPFIRE box set up with IPSEC. I do have several other boxes running other firewall distros set up this way and these do work configured as I described.

Don’t know.

Ok. Thanks for help. Didn’t get it to work till yet.

tryed again: made settings as @disturbeddragon wrote. looking the routing-table all looks fine.

also made rules based on @cfusco:

  • office2blue > ipsec-purple-office1 and ipsec-purple-office1 > office2blue
  • office1green > office2purple and office2purple > office2green

but the result is the same: no traffic, no ping possible office1<>office2. :frowning:.

At the moment seems this the only solution to get it to work:

1 Like

Didn’t even think of that but if it works then it works for now. Hopefully devs will get that bug fixed.

Knowing you have solved this with two IPSEC connections, I found another solution as well. In Firewall settings, use NAT rules to forward traffic from Blue to Green then out to Purple. Rules must be in both directions Tried on Source NAT with a single host and it works. Should work the same but changing from single Blue host to entire Blue subnet.

1 Like

Could you post a Screenshot of one rule in editor-mode? Got alwyas the message that i have to choose one single-device and no group.

Yes sir, here it is.

1 Like