VPN and IPsec

theextremist · February 4, 2022, 11:14am

Hello, I have 3 departments with connected by ipsec. This is works.

D1 (192.168.1.0/24) - Main department

D1 - D2 (192.168.2.0/24)
D1 - D3 (192.168.3.0/24)

I have vpn configured on D1 and it works too, people can connect to to D1, but I wannt to people who connected by VPN (192.168.10.0/24) can access to D2 and D3. This is not working. A few years ago I used VPN connections between departments, then configure routes and it works, with Ipsec I don’t know how can I repeair connections.

IP policies added and they are active, firewall configure the same as D1-D2 for example and nothing.

sindy · February 4, 2022, 12:41pm

Replace IPsec policies by IPIP or GRE tunnels secured by IPsec and use normal routing. Or add IPsec policies handling the subnet(s) from which the VPN users get their addresses.

theextremist · February 5, 2022, 1:53pm

Hello, thanks for you reply,

The ipsec policy added, in main department 192.168.10.0/24 (VPN) with 192.168.2.0/24 (D2) and it’s active on both sides but cannot ping devices.

IPIP ok, I will try, but how about performance compare with ipsec ?

sindy · February 6, 2022, 9:38am

IPIP over IPsec in transport mode has the same overhead like bare IPsec in tunnel mode. The question is whether you can use transport mode - to do so, the public IPs of both peers have to be static, because ipip cannot automatically adjust to a changing remote address (nor can gre).

If you want assistance with the current solution (bare IPsec with policies), you have to post the export of both D1 and D2 configurations.