I have a pfsense box (Call this BOX1) that has LANs and a WAN which connects to the internet and is used to create a VPN connection to a client: This has pfsense version 2.0.2-RELEASE (i386)
I have a another pfsense box (Call this BOX2) with an Internet Connection. Behind it is several LANs (LANx): This has pfsense version 2.1-RELEASE (i386)
There is also a Point to Point Connection between BOX1 and BOX2
BOX2 uses BOX1 as its default gateway.
This means BOX1 is the default gateway for its own LAN and also the default gateway for BOX2 and the networks behind BOX2.
The internet of BOX2 is normally used only when BOX1's WAN is unreachable.
BOX1 has got a site to site VPN to a client who use that VPN to connect to an IP 192.168.2.5 (Call it SRV1) which sits in the LAN behind BOX1.
Using the WAN on BOX2, I want to setup a backup VPN to the client so that they can connect to SRV1 via the Point to Point that connects BOX2 and BOX1. The client's computer is on IP: 172.16.2.10
Basically, if the WAN supporting the VPN on the PfSense BOX1 is down, I want the clients themselves to switch to VPN2 which will connect via the Point to Point link to BOX1 and thus find SRV1 which sits behind BOX1.
Can you guide me on how to do this kind of setup?
So far, I have tried but haven't succeeded. On BOX2, am getting the errors:
Jan 30 10:32:04 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy
already exists. anyway replace it: 172.16.2.10/24[0] 10.10.11.3/32[0]
proto=any dir=inJan 30 10:32:04 racoon: [Unknown Gateway/Dynamic]: DEBUG: db
:0x28501288: 172.16.2.10/24[0] 10.10.11.3/32[0] proto=any dir=inJan 30 10:32:04 racoon: [Unknown Gateway/Dynamic]: DEBUG:
sub:0xbfbfe724: 172.16.2.10/24[0] 10.10.11.3/32[0] proto=any dir=inJan 30 10:32:04 racoon: DEBUG: got pfkey X_SPDADD message
Jan 30 10:32:04 racoon: DEBUG: pk_recv: retry[0] recv()
Jan 30 10:32:04 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy
already exists. anyway replace it: 192.168.2.5/32[0] 172.16.2.10/24[0]
proto=any dir=outJan 30 10:32:04 racoon: [Unknown Gateway/Dynamic]: DEBUG: db
:0x28501508: 192.168.2.5/32[0] 172.16.2.10/24[0] proto=any dir=outJan 30 10:32:04 racoon: [Unknown Gateway/Dynamic]: DEBUG:
sub:0xbfbfe724: 192.168.2.5/32[0] 172.16.2.10/24[0] proto=any dir=outJan 30 10:32:04 racoon: [Unknown Gateway/Dynamic]: DEBUG: db
:0x28501288: 172.16.2.10/24[0] 10.10.11.3/32[0] proto=any dir=inJan 30 10:32:04 racoon: [Unknown Gateway/Dynamic]: DEBUG:
sub:0xbfbfe724: 192.168.2.5/32[0] 172.16.2.10/24[0] proto=any dir=outJan 30 10:32:04 racoon: DEBUG: got pfkey X_SPDADD message
Jan 30 10:32:04 racoon: DEBUG: pk_recv: retry[0] recv()
Jan 30 10:32:04 racoon: INFO: unsupported PF_KEY message REGISTER
Jan 30 10:32:04 racoon: DEBUG: got pfkey REGISTER message
Jan 30 10:32:04 racoon: DEBUG: pk_recv: retry[0] recv()
Jan 30 10:32:04 racoon: DEBUG: getsainfo params: loc='192.168.2.5'
rmt='172.16.2.10/24' peer='NULL' client='NULL' id=1Jan 30 10:32:04 racoon: DEBUG: no check of compression algorithm; not
supported in sadb message.Jan 30 10:32:04 racoon: DEBUG: hmac(modp1536)
Jan 30 10:32:04 racoon: DEBUG: reading config file
/var/etc/ipsec/racoon.confJan 30 10:32:04 racoon: DEBUG: pk_recv: retry2 recv()
Jan 30 10:32:04 racoon: DEBUG: pk_recv: retry1 recv()
Jan 30 10:32:04 racoon: DEBUG: pk_recv: retry[0] recv()
Jan 30 10:32:04 racoon: [Unknown Gateway/Dynamic]: DEBUG: db
:0x28501288: 172.16.2.10/24[0] 10.10.11.3/32[0] proto=any dir=inJan 30 10:32:04 racoon: [Unknown Gateway/Dynamic]: DEBUG:
sub:0xbfbfe704: 192.168.2.5/32[0] 172.16.2.10/24[0] proto=any dir=outJan 30 10:32:04 racoon: DEBUG: got pfkey X_SPDDUMP message
Jan 30 10:32:04 racoon: DEBUG: pk_recv: retry[0] recv()
Jan 30 10:32:04 racoon: DEBUG: got pfkey X_SPDDUMP message
Jan 30 10:32:04 racoon: DEBUG: pk_recv: retry[0] recv()
Jan 30 10:32:04 racoon: INFO: unsupported PF_KEY message REGISTER
Jan 30 10:32:04 racoon: DEBUG: got pfkey REGISTER message
Jan 30 10:32:04 racoon: DEBUG: pk_recv: retry[0] recv()
I'd posted this question on pfsense forums but shortly after I remembered am an active SE member so I came looking for a network forum. Hope that doesn't break any rules
Best Answer
It seems that you are using NAT instead of routing between BOX1 and BOX2. BOX2 needs to know how to reach the network behind BOX1. You can either configure static routes, or you can run a routing protocol between the two routers.
Routers learn routes in three ways:
Static route configuration does not scale, but it may not be a problem in such a small network. You should not use NAT inside your network, only on the interfaces to the public Internet. Inside your network, just use routing, but you will somehow need to let BOX1 know about any networks behind BOX2, and vice versa. You can configure static routes on each router to do that, but you will need to shut down the NAT on the point-to-point link.