When I now try to reach a machine on the other site via e.g. tracert it says Destination net unreachable.
My Question: Is it possible to have the local Subnet entered in IPSec differ from green?
The Subnet 172.21.105.0/24 only exists in the IPSec configuration on our site.
If so, which firewall rules, routes do I have to create in order to get this to work.
I was thinking, what if you do a source nat (two rules, one for each direction), where the traffic coming from 172.21.105.0/24 is NATted to a subset of your green network? Similar to the hub and spoke configuration described in the wiki?
Connections with PSKs are very common and set up with only three settings:
You will need to generate a pre-shared-key that is strong enough to not be guessed. It is recommended to at least use a 32 character long key.
Since the PSK is not enough to identify the connection in case of multiply connections using PSK authentication, you will need to fill in the "Local ID" and "Remote ID" fields. There are no restrictions for this, the pair must only be unique across all connections you have and must match with the settings of the peer. You can use:
Any ASCII-string that starts with an @. It is common to use the hostname (e.g. @trucking.ipfire-at-home.com)
Some vendors automatically fill in the IP addresses of both peers
I do not think so, but I speak of what I do not understand well enough. My reasoning is the following: the traffic originating from the other side of the tunnel (172.2.105.X) will be remapped to a subset of your green network, say 192.168.5.192/26 by SNAT, as well as the traffic originating from your side of the tunnel in that green sub-net should be sent back to the other side (172.2.105.X). This should be enough for a successful routing on both sides.
EDIT: maybe even one rule should be enough, without using a subset of your network? In the hub&spoke you needed two rules because you wanted to connect 2 network through a central location. But in your case?
If you manage to solve the problem would you write a short “how to”, to leave some breadcrumbs for other people in the future?
The Problem here is that both subnets 192.168.5.x and 172.21.105.x are on our site.
192.168.5.0/24 is our green network and 172.21.105.0/24 is the local Subnet I entered on our site of the IPSec configuration and is only configured here. Otherwise 172.21.105.0/24 does not exist on our Site.
The Subnet from Site B is 10.2.44.0/24.
I would need NATing on our Site between 192.168.5.0/24 and 172.21.105.0/24.
Sry for the confusion I may have caused.
I try to explain it again.
Site A
Green 192.168.5.0/24
IPSec config:
local subnet: 172.21.105.0/24 (which is only configured here, and otherwise not existing in our network, so no gateway…)
RemotHost/IP: x.x.x.x
remote subnet: 10.2.44.0/24
Site B:
green: 10.2.44.0/24
IPSec config:
local subnet: 10.2.44.0/24
RemotHost/IP: x.x.x.x
remote subnet: 172.21.105.0/24
Site B cannot enter 192.168.5.0/24 as there remote subnet as this subnet is also part of their network infrastructure.
How it should be:
192.168.5.10 sends a request to 10.2.44.10.
192.168.5.10 → needs to know that 10.2.44.10 can be reached over IPSec Tunnel.
192.168.5.10 needs to become e.g. 172.21.105.10 and sends the request over IPSec tunnel.
When the response comes back 172.21.105.10 must be translated back to 192.168.5.10.
I guess that I not only need NATing Rules on our site A to translate 192.168.5.x to 172.21.105.x before sending trough the IPSec Tunnel.
And I can only make changes to site A and not B.
As far as i know Site B is configured to accept requests from 172.21.105.0/24 and sends it back.
They have more costumers with this set-up so it should be ok.
So yes, i guess the problem is only on our site A.
I think it’s what @steven was suggesting in post 12. Those command should create the network and bridge it to the green interface. After that, it should be visible in web user interface.
Sorry, but i can’t understand, how your 172.21.105.0/24 network can work without a gateway?! What is the network configuration on a client in this network (IP, DNS, GW)?!
And the most important: How can 192.168.5.0/24 communicate with 172.21.105.0/24 in your setup?
How ever: IPfire must be a part of the 172.21.105.0/24 network. If that subnet really doesn’t have a gateway, which I don’t think so, then ipfire will become the gateway for that subnet with my config of the screen on site a without the second route-line. Setup the IPfire-IP of 172.21.105.0/24 as gateway on the 172.21.105.0/24 clients. Then you can tunnel with the respective remote subnets 10.2.44.0/24 and 172.21.105.0/24 and it will work. If you also wan’t a connection from 10.2.44.0/24 to 192.168.5.0/24, you must setup a second tunnel with this remote-subnet and it will work.
No, unfortunately it is not visible in the web interface, but it is there and can be used as a remote-subnet in the ip-sec-setup and Ipfire routes it accordingly.