<![CDATA[Sanity check: site-to-site VPN, with one site behind router?]]>Hi guys,

I'm going to have to set up a pfSense VPN from a branch office to the main office.

The branch office has an Internet connection that is provided by the landlord and we do not have any access to port forwarding on that router at all.

The main office router is a pfSense box.

Am I right to say that the IPsec site to site VPN will work? I just need to:

  • Enable NAT traversal

  • Not use an IP address as identifier (perhaps use DN as an alternative)

  • Have the branch office router establish the connection first (as the main office router wouldn't be able to reach the branch office router anyway

and all should be good?

Thank you!

]]>https://forum.netgate.com/topic/101943/sanity-check-site-to-site-vpn-with-one-site-behind-routerRSS for NodeSat, 13 Jun 2026 21:19:56 GMTThu, 23 Jun 2016 14:46:28 GMT60<![CDATA[Reply to Sanity check: site-to-site VPN, with one site behind router? on Mon, 27 Jun 2016 22:19:22 GMT]]>Definitely maybe. Provided thye're not blocking ports. I believe you will want to use "aggressive" and not "main", as it will allow pahse1 IP Address changes.

]]>https://forum.netgate.com/post/634513https://forum.netgate.com/post/634513Mon, 27 Jun 2016 22:19:22 GMT<![CDATA[Reply to Sanity check: site-to-site VPN, with one site behind router? on Mon, 27 Jun 2016 22:17:30 GMT]]>That should be good. I've got a few IPSEC tunnels with the same setup as you without issues.

]]>https://forum.netgate.com/post/634512https://forum.netgate.com/post/634512Mon, 27 Jun 2016 22:17:30 GMT