IPSec Tunnel using Proxy ARP Virtual IP

  • Hi everyone,
    I'm a new user.

    I have a problem with an IPSec tunnel between 2 PFsense. The scenario is as follows:

    Office A
    PFSense behind router with a single Public IP NATted 1:1 to PFSense WAN IP
    (eg. -> 192.168.x.5)

    Office B
    PFsense behind router with 4 Public static IPs NATted 1:1 to 4 private IPs and a dynamic public IP (which here I define as "97.97.y.y) NATted 1:1 to the physical WAN IP address:
    (eg. -> 10.10.x.1, -> 10.10.x.2, -> 10.10.x.3, -> 10.10.x.4
    97.97.y.y-> 10.10.x.5)

    PFS B has only 1 physical NIC used as WAN which was configured with 10.10.x.5.

    These 4 private IP addresses were configured on PFS B as Proxy ARP Virtual IP, so there are 4 public IP addresses pointing to a single PFS.

    I want to configure IPSec tunnel between (A) and (B), but once I finish configuring it, tunnel doesn't work, no connection established.
    If I open "IPSec Status" page, I see "10.10.x.5" in "Local IP" column, and this is the problem because it should be "10.10.x.4" instead.

    How can I configure PFSense so that the Local IP address is the Proxy ARP IP 10.10.x.4?

    Thanks in advance.

  • Any idea?  :( :( :-[

  • No services on pfSense can use Proxy ARPs.  You will need to convert it to a IP Alias.

    Once it has been converted to an IP Alias, on the IPSEC configuration Phase 1 switch the interface from WAN to the new IP Alias.

  • Is it the same for OpenVPN?

    Now I'm trying to configure an OpenVPN Site-to-Site tunnel with the same Proxy ARP Virtual IP, but it doesn't work.

    Some time ago I configured an OpenVPN SSL/TLS tunnel using the same VIP and it works (I had to create a NAT rule that would translate VIP:1194 to

  • LAYER 8 Netgate

    You cannot bind any services running on the firewall to a proxy arp vip.


    You can probably tell OpenVPN to listen on localhost and port forward to it like you described. Not sure about IPsec.

Log in to reply