IPSEC tunnels to and from different public IP, but with same local subnets



  • So i've been asked if this is possible, thinking about it, it should, but i'm no expert.

    Remote sites    PFsense      Server
    192.168.1.X    public IP 1  Server 1
    192.168.1.X    public IP 2  Server 2
    192.168.1.X    public IP 3  Server 3

    So we will terminate all IPSec tunnels on PFsense, via different public IP, then route back to servers (either on separate LANS or VLANS) then make sure that all comms from that server use that public outbound and that IPSec tunnel for internal comms.

    More details, if you want.
    We have 30 linux containers each with their own IPSec vpns, to separate sites. We want a central place to setup/monitor/change IPSec details.


  • Rebel Alliance Developer Netgate

    You cannot have multiple tunnels to the same remote network on different firewalls. How would it possibly differentiate between them?

    The remote sites must NAT their local network so that pfSense sees a different network at each location. The details of how that is done vary depending on the type of VPN and what sort of hardware/software is running the VPN at the remote sites.



  • I did think that if it worked it would break all routing.

    It was a long shot, as i thought each interface would have it's own routing table, so i could have

    192.168.1.0 <<ipsec a="" nailed="" to="">> 123.123.123.120 <<lan to="">> 10.0.0.0 <<routing rule="" for="" outbound="" ipsec="" a="">>
    192.168.1.0 <<ipsec b="" nailed="" to="">> 123.123.123.121 <<lan to="">> 10.0.1.0 <<routing rule="" for="" outbound="" ipsec="" b="">>
    192.168.1.0 <<ipsec c="" nailed="" to="">> 123.123.123.122 <<lan to="">> 10.0.2.0 <<routing rule="" for="" outbound="" ipsec="" c="">>

    All on one pfsense firewall with each</routing></lan></ipsec></routing></lan></ipsec></routing></lan></ipsec>