I think it’s what @steven was suggesting in post 12. Those command should create the network and bridge it to the green interface. After that, it should be visible in web user interface.
2 Likes
Sorry, but i can’t understand, how your 172.21.105.0/24 network can work without a gateway?! What is the network configuration on a client in this network (IP, DNS, GW)?!
And the most important: How can 192.168.5.0/24 communicate with 172.21.105.0/24 in your setup?
How ever: IPfire must be a part of the 172.21.105.0/24 network. If that subnet really doesn’t have a gateway, which I don’t think so, then ipfire will become the gateway for that subnet with my config of the screen on site a without the second route-line. Setup the IPfire-IP of 172.21.105.0/24 as gateway on the 172.21.105.0/24 clients. Then you can tunnel with the respective remote subnets 10.2.44.0/24 and 172.21.105.0/24 and it will work. If you also wan’t a connection from 10.2.44.0/24 to 192.168.5.0/24, you must setup a second tunnel with this remote-subnet and it will work.
No, unfortunately it is not visible in the web interface, but it is there and can be used as a remote-subnet in the ip-sec-setup and Ipfire routes it accordingly.
1 Like
Hi,
i cannot chnage the settings on site B.
I have set up IPSec tunnels before with the settings you mentioned and they were all working.
1 Like
Hi Steven,
the thing is that site B is expecting that traffic over the Tunnel is coming from 172.21.105.0/24 and I sadly cannot change this.
Our Setup has only green 192.168.5.0/24 and red.
That’s exactly the thing, how can it work without having a gateway.
It won’t I guess. That’s the Problem. Is this Setup even possible with IPFire?
There actually won’t be any client with the address 172.21.105.x.
This subnet 172.21.105.0/24 is only needed for the traffic through the IPSec tunnel.
I now was thinking of making a vlan with Blue over the green NIC.
The new Blue VLAN would have 172.21.105.0/24.
is it possible to make a IPSec tunnel with blue on site A and route the traffic from green over blue to site B?
What a bullsh*t.
If 172.21.105.0 has no clients, with what should the Site B communicate?!
You must change the remote-subnet to 192.168.5.0 on Site B or change your green network on Site A from 192.168.5.0 to 172.21.105.0. How else would Site B know where 192.168.5.0 is?!
@steven Can I ask you a question, since my understanding of routing is really poor? OP has made the point that SIte B is administered by others and they have chosen (and I presume imposed to OP) to establish tunnel with site A excluding its green network because it is mapped to 192.168.5.0/24 which is a network range also present on site B. This implies some sort of problem that requires a clear separation between the local network on SIte A and the local network on site B.
My question is: does it? Is there really a conflict or a problem? To me it looks like this is perfectly compatible! And with “this”, I mean having similar network ranges at both ends of a tunnel.
Indeed it is a bullsh*t but unfortunately this is the way it has to be. I have no control over site B and they are unwilling to change anything on their site.
So Site A 192.168.5.10 sents a request to 10.2.44.10.
192.158.5.10 has to become e.g. 172.21.105.10 on site A through NATing
10.2.44.10 sents the response back to 172.21.105.10 so site B knows where to sent the response.
Is this somehow possible to do with IPFire or not?
I’m running out of ideas how I can implement this with only one green network.
Could it be possible to do this with 172.21.105/24 being VLAN Blue or are there to many restrictions between green and blue?
Is blue even allowed traffic through IPSec?
I read for OpenVPN you have to configure specific routes in the openvpn config files in order to let blue through.
Sadly true.
Try Site A-Setup:
/etc/sysconfig/firewall.local
add the line in start & reload:
ifconfig green0:0 172.21.105.1 netmask 255.255.255.0 broadcast 172.21.105.0
restart
setup and start your IP-Sec with 172.21.105.0/24
add firewall-rules
Source: 172.21.105.0/24 → Target: Green-Network
and
Source: 172.21.105.0/24 → Target: IP-Sec-Connection to Site B
(Try without NAT or with NAT in the firewall-rules)
I’m not sure if it’s still necessary to set a route for the subnet 10.2.44.0/24.
Try it…
1 Like
thank you, i did try it but no success 
Can you ping a IP from 10.2.44.0/24 via IPfire-console after the tunnel is up?
I think you best chance is to keep working with the command line using @steven strategy. The goal is to create an alias on the top of green0 (green0:0) linked to 172.21.105.0/24. Then you create an SNAT, by command line if necessary, in the firewall from green0 address range to green0:0 address range.
Alternatively, you could try to create blue0 dummy interface (see the same tutorial above, plus this one), link it to 172.21.105.0/24 and bridge it with green0.
1 Like
Are you sure about the broadcast?
Regards
2 Likes
Good find. I didn’t even look at that closely enough.
Maybe, I just presume the basics of network addressing. 
To be exact: the network is 172.21.105.0/24 with IPFire 172.21.105.1, netmask 255.255.255.0, broadcast 172.121.105.255.
2 Likes
haha… Maybe it’s a “fast fingers” error …
1 Like
This. Of course you are right. But that’s not the reason whether it works or not.
1 Like
Yes i did, without success
I did use 172.21.105.255 as broadcast 
1 Like