Extend local network across a secondary network using 2 x ER605
Hello there.
I got a little stuck trying to find an optimal setup for the following situation. I would like to ask if anyone has any good tips for me.
Our organisation has two locations that are relatively close to eachother.
A different network than our own runs through the buildings of both locations with high speed switches on either side belonging to the same LAN.
That is a local network ran by one of the other businesses, but i have permission to use the infrastructure to extend our own network across it.
Naturally we want to seperate our own network from the other businesses' network, so i have purchased two ER605 routers to set up a VPN tunnel i can run across the external network so we can securely extend our own headquarters network to the secondary location and provide it with internet access from our primary location.
Our primary location has a decent internet connection with a pfsense firewall. So the goal is not only to extend our own network across the VPN but also to allow the secondary location to use the VPN for internet access using our headqarters line. The following schematic shows my intended use for these units. I want hosts at both Location A and Location B to reach eachother as if connected locally, and i want the hosts at location B to be able to access the internet as well through the tunnel.
INTERNET
|
PFsense Firewall HQ Location A [10.10.10.1]
|
<LAN LOCATION A [10.10.10.0/24] >
|
(LAN [10.10.10.15] )
[[ ER605 ]]
(WAN [172.30.30.30/30] )
|
>>Untrusted LAN<<
|
(WAN [172.30.30.30.29/30] )
[[ ER605 ]]
(LAN [10.20.20.1])
|
<LAN LOCATION B [10.20.20.0/24]>
Now i have set up a lan-lan ipsec vpn, and this does work partially. I can reach all the hosts on either LAN. But hosts at location B are not able to reach the PFsense firewall IP, or indeed the internet, across this ipsec tunnel. I have played around with gateway and dns settings for the tunnel and LAN on the ER605 in Location B, but i cannot seem to get any connectivity to the internet router or DNS server at Location A. I suspect there is something i am missing about lan-lan IPSEC tunnels in general, or the specific implementation in these routers that is prohibiting me to achieve my goal here. Should i attempt a different type of VPN, or is there anything else obvious i am missing ?
Any help to point me in the right direction would be greatly appreciated. Thanks in advance