Force IPSEC next hop



  • So I have a unique setup, I prefer PFSense, but we're mostly a Cisco shop, however, both systems exist together peacefully, Most things are on the Cisco, as we grow, more things route through PFSense. What I want to do is setup IPSEC to a few remote sites on the PFSense side, force all traffic over IPSec from remote to PFSense, then route it through the Cisco side. Currently routing statements exist, so almost anything on either side, PFSense or Cisco can get to the other side and vice versa.

    PFSense side
    IPSEC 192.168.74.0/24
    LAN 10.69.0.1

    Cisco side:
    One of many LAN's 10.69.0.254

    If in my IPSEC config, for the phase two entry, I allowed 0.0.0.0/0 to 192.168.74.0/24 and vice versa, then set outbound NAT with the source of 192.168.74.0/24 out 10.69.0.254, would this then force all IPSEC traffic to the Cisco? Yes, I understand this is a 70,000ft. view, there are rules and ACL's, just wanted to make sure I was on the right track.



  • Maybe a rule on the IPSEC interface that says souce (remote ip) allow to destination (any) via the Cisco as it's gateway?