Ipsec net-to-net how route traffic over the tunnel?

Dear Paul,
thanks for your suggestion.

Anyway the best solution that I’ve found is IPSEC Virtual Tunnel Interface.

I’ve spent a lot of time, so I’d like to leave a working solution for everyone who has the same problem.

The standard configuration is called “policy-based”, but only traffic of remote host, travels inside the tunnel from A (left) to B (right). All the other is routed outside to internet.

In my example 192.168.106.2 | LEFT IPFIRE A | public Ip1 ------ public ip2 | RIGHT IPFIRE B| 172.16.0.3
just 172.16.0.0 packets passes through the tunnel and back home .

INSTEAD, If you configure a routed-based ipsec tunnel, with VTI, you can route through the tunnel all the traffic you want.

To do that:

Configure ipfire this way:

LEFT IPFIRE

GREEN 192.168.106.2 (just my case)
RED: 222.222.222.222 (just a stupid example)
gtw: 222.222.222.221

Add ipsec net-to-net
Name of connection : left2right
Local subnet: 0.0.0.0/0
Remote host/ip: public address: 184.184.184.184
Remote Subnet: 0.0.0.0/0

IP SETTINGS
Mode: “Tunnel”
IP address / Subnet mask (of VTI): 192.168.244.1/30 (just a private net, close to 30 - only 2 address - We use this net just to route the traffic)
MTU 1500

RIGHT IPFIRE

GREEN 172.16.0.3 (my case)
RED: 184.184.184.184 (just a stupid example)
GTW: 184.184.184.183

Add ipsec net-to-net
name of connection: right2left
Local subnet: 0.0.0.0/0
Remote host/ip: public address: 222.222.222.222
Remote Subnet: 0.0.0.0/0

IP SETTINGS
Mode: “Tunnel”
IP address / Subnet mask (of VTI): 192.168.244.2/30 (just a private net close to 30 - only 2 address - We use this net to route the traffic)
MTU 1500

Now we have to make the static routes:
Be carefull, without static routes, no one packet pass throw, not even 192.168.106.0, and 172.16.0.0

LEFT IPFIRE
To a minimum this route
172.16.0.0/16 via 192.168.244.1 (tunnel ip)

if you use static routs form, put:
IP Host: 172.16.0.0/16
gateway:192.168.244.1

Now you can route what you want

192.168.7.0/25 via 192.168.244.1

10.100.0.0/16 via 192.168.244.1

RIGHT IPFIRE
Remember, to the minimum
192.168.0.0/24 via 192.168.244.2

IMPORTANT CONSIDERATIONS
172.16.0.3 is the default gateway for net (in the right side).
So if you ping from left to right 172.16.0.0/ everything is ok. the packets go back to 192.16.0.0 becouse every host replies to their default gateway 172.16.0.3.

But if you have in the right (other net, like internet, or other, with different default gateway es. 172.16.0.1, every host of the right net can’t replay to the left side request, because they send replay to their default gateway (172.16.0.1).

To solve this, it is important that, into RIGHT IPFIRE, you have to apply source nat from IPSEC tunnel with destination the net that you want, and new ip address = green IP.

In my case from left I want to reach even :
192.168.7.0
10.100.0.0
to right side, so I have to add to the minimun 3 firewall policies:

The first is REQUIRED (my case)

  1. SOURCE: right2left (name of the the connection)
  2. NAT: >Source nat > new source ip address: GREEN 172.16.0.3
  3. Destination: 172.16.0.0/24
  4. protocols: any (what you want);
    Apply policy

Now packets, from left net, goes to of right net and all hosts replies to the sender (green interface 172.16.0.2) and don’t use a different default gateway ;

NOW YOU HAVE TO REPEAT for the 2 net that I want to reach:

  1. SOURCE: right2left (name of the the connection)
  2. NAT: >Source nat > new source ip address: GREEN 172.16.0.3
  3. Destination: 192.168.7.0(24
  4. protocols: any (what you want);
    Apply policy
  5. SOURCE: right2left (name of the the connection)
  6. NAT: >Source nat > new source ip address: GREEN 172.16.0.3
  7. Destination: 10.100.0.0/16
  8. protocols: any (what you want);
    Apply policy

Now everything is ok.

Remember, this way you only ping everything from left to right:
If you want ping from remote subnet you have to repeat static routes and policy firewall even into left IPFire.

Best regards
Franco