I have set up a distributed network as in the figure below. The subnet x.15.x is a remote subnet, connected to the internal LAN via IPsec VPN. The Firewall has 3 interfaces, one connected to the net, one connected to the x.2.x subnet and one connected to x.3.x subnet.
- When I ping 192.168.3.25 from
192.168.2.10 I get a response. - When I try and ping 192.168.3.25 on
it's external IP address from
192.168.15.50 I get a response.
However;
- When I try and ping it from a client
on the IPsec connection (e.g.
192.168.15.50) I get a request timed out.
Am I missing a principal of IPsec networking? How can I get it to send data to the x.3.x subnet?
The firewall is a pfSense, and the servers are Windows Server 2008 R2. The tunnel is a IPsec tunnel through the internet.
Best Answer
I suspect that, because the two networks are on different interfaces on the firewall, the x.2.x subnet and the x.3.x subnet will require separate IPSec VPNs to the x.15.x subnet on the other side.
Response to OP comment: So if I migrate the x.3.x subnet to the same NIC could this work?
It might, but I don't know for sure. If you mount both interface IPs on the same NIC, you will likely need to have two tunnels. But if you increase the size of the x.2.x subnet by making the subnet mask 1 bit smaller (255.255.254.0), you can put the x.3.x devices onto the x.2.x physical network. It should work as long as you can update the VPN to have the smaller subnet mask. There will likely be other considerations, such as DHCP and the default gateway for the x.3.x devices. I suspect building a second tunnel will be cleaner.