Does pfSense need interface with IP that matches IPsec tunnel traffic



  • I have a server that is supported by an outside vendor who requires an IPsec tunnel for support access.

    The server has an IP on the normal LAN network. (192.168.5.100/24)

    The vendor has also given it an additional address of 10.1.1.100/24.

    They want me to setup an IPsec tunnel between 192.168.202.0/28 and 10.1.1.0/24 to give them access to the server.

    Does my pfSense box need an active interface on the 10.1.1.0/24 network?


  • Netgate

    Why the second address on the host? If they want to access 192.168.5.100 using 10.1.1.100 from their side you would just NAT the "Phase 2" network.

    Local Network: 192.168.5.0/24
    NAT: 10.1.1.0/24
    Remote Network: 192.168.202.0/24

    They would set up a P2 like this:

    Local Network: 192.168.202.0/24
    Remote Network: 10.1.1.0/24



  • Interesting, so it would map 1 to 1?

    Any packets send to 10.1.1.100 would be NATed to 192.168.5.100?


  • Netgate

    Yes.



  • So this worked brilliantly! Thank you so much.