Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec tunnel from a local group of networks to a remote group of networks possible?

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 605 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CheeMG
      last edited by CheeMG

      Hi All

      UPDATE: Okay, I think we may have found the answer:
      Phase 2 definitions handle how local/internal networks are sent across a tunnel. Multiple local subnets (or individual hosts) can be used on a single IPsec tunnel by adding multiple Phase 2 entries.
      Going to give it a try ..

      --
      We have been using GTA firewall for many years. But GTA has recently become defunct, and we are now considering pfSense.

      In GTA firewall, we can set up a site-to-site IPSec VPN from the local office LAN and DMZ to the remote office LAN and DMZ. That is, a single VPN which connects LAN and DMZ of office A to LAN and DMZ of office B.

      Is this possible with pfSense? In GTA, we can define a network address objects containing the LAN and DMZ network addresses (e.g., one object for Local 192.168.5.0/24 and 192.168.6.0/24 and then another object for the Remote 192.168.11.0/24 and 192.168.12.0.24) in the firewall and then use these objects in the IPSec VPN's Local and Remote network settings.
      How can we do this in pfSense 's IPSec tunnel?
      Or we have to create two IPSec tunnels at both offices?
      But we get this error when trying to create another tunnel to the same remote interface:
      The remote gateway "x.x.x.x" is already used by phase1 "testvpn01 to PA".
      Thank you
      CMG

      1 Reply Last reply Reply Quote 0
      • B
        bruor
        last edited by

        You could also do this by supernetting the phase2 if your local/remote networks are all within a non-overlapping range.

        In your example you could use 192.168.4.0/22 (192.168.4.0 <-> 192.168.7.255) for your local subnet on the phase 2, and 192.168.8.0/21 (192.168.8.0 <-> 192.168.15.255) for the remote subnet on the ipsec tunnel.

        You would then just create firewall rules at the ipsec level to govern the /24 subnets within those networks and how they talk to each other.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.