Sanity check: site-to-site VPN, with one site behind router?

  • Hi guys,

    I'm going to have to set up a pfSense VPN from a branch office to the main office.

    The branch office has an Internet connection that is provided by the landlord and we do not have any access to port forwarding on that router at all.

    The main office router is a pfSense box.

    Am I right to say that the IPsec site to site VPN will work? I just need to:

    • Enable NAT traversal

    • Not use an IP address as identifier (perhaps use DN as an alternative)

    • Have the branch office router establish the connection first (as the main office router wouldn't be able to reach the branch office router anyway

    and all should be good?

    Thank you!

  • That should be good. I've got a few IPSEC tunnels with the same setup as you without issues.

  • Definitely maybe. Provided thye're not blocking ports. I believe you will want to use "aggressive" and not "main", as it will allow pahse1 IP Address changes.

Log in to reply