Static routing to IPsec tunnel



  • Hello !

    My client and I established an IPsec tunnel between my pfSense router and his non-pfSense router.

    My phase 2 is configured as follow :

    • Local network : 172.20.0.0/24

    • NAT/BINAT translation : 10.9.184.0/24

    • Remote network : 10.132.0.0/24

    The tunnel is working, as I can ping a server in the remote network.

    But now, I need to access to an other remote network of my client, which the address is 172.16.0.0/16. Knowing that this network is « behind » the 10.132.0.0/24 remote network, is there one way to route traffic to this destination through the IPsec tunnel ?

    I've searched a lot on this question, and, for now, it seems impossible to me due to some unclear limitations (of pfSense or IPsec ?). You're my last resort. ;)

    Thanks for your attention !

    antoinejdd



  • You need to set up an additional phase 2 for any subnet. Something like route based vpn is actually not possible with pfSense. I am doing similar things, we use pfSense in our datacenter cause i like the hardware independence and the flexibility but most of our customers don't use pfsense.
    So using an additional P2 entry for each subnet which is not able to be supernetted is the only way to establish multi subnet connections to one endpoint AFAIK.



  • From what I understand, route based VPN is do-able with GRE tunnels and IPsec in transport mode. I have been unable to get this working as of now. I may use one of our paid support incidents to get some help.



  • @curtisgrice:

    From what I understand, route based VPN is do-able with GRE tunnels and IPsec in transport mode. I have been unable to get this working as of now. I may use one of our paid support incidents to get some help.

    Actually i am trying to do the same but for building a IPSEC Failover to a directed radio connection and i am not able to get this work as well.



  • @janstockem:

    You need to set up an additional phase 2 for any subnet. Something like route based vpn is actually not possible with pfSense. I am doing similar things, we use pfSense in our datacenter cause i like the hardware independence and the flexibility but most of our customers don't use pfsense.
    So using an additional P2 entry for each subnet which is not able to be supernetted is the only way to establish multi subnet connections to one endpoint AFAIK.

    Thanks for your reply. Your solution seems to be the easiest available. Unfortunately, it's not possible according to my client. As a last resort solution, I asked him for a virtual IP in his local IPsec network redirecting to the distant server (yeah, actually, I just needed to access a single server in this distant network). It's dirty, but there is still plenty of work that need to be done, and I can't waste time anymore.

    @curtisgrice:

    From what I understand, route based VPN is do-able with GRE tunnels and IPsec in transport mode. I have been unable to get this working as of now. I may use one of our paid support incidents to get some help.

    If it's working, I would be very interested for a future and similar acse scenario. Right now, I don't have the time to test this configuration. But I would very like to receive some updates about your work.

    Thanks to both of you !



  • Actually it is working in the constellation that i have a direct connection to another pfSense Appliance and a GRE Tunnel over WAN to the same Appliance both connections are configured within a Gateway Group, i got them up running and failing over as long as i do not activate the IPSec Transport Tunnel. If i activate the IPSec Tunnel traffic gets blocked somewhere but i do not see where. If i tear the tunnel down everything is working as expected. Thought about some kind of a triangle route but the Tranport IPSec Tunnel is similar to a L2 Connection so i do not get why it should interfere with my routing… I am really banging my head about this... Thought about using pfSense as a large Scale Hub and Spoke WAN to connect serveral branch offices together but this would be a PITA if this simple GRE / IPSEC connection is so difficult to get up and running.


Log in to reply