Routed IPsec - Remote Site Policy Based IPsec



  • Hello everybody,

    we have a pfsense appliance with about 100 IPsec tunnels to different customers. We would like to switch our IPsec configuration from policy based tunnels to routed IPsec. The reason why we will do this, is because of the poor NAT features in the policy based tunnels. I understand how a routed IPsec Tunnel is configured with the transfer network, but how do we have to configure it, when we don't have the possibility to change anything on the remote site?

    For example:
    Our Net: 192.168.70.0/28
    Remote Subnet 1: 10.0.100.0/24
    Remote Subnet 2: 10.0.200.50/32

    In our current configuration, we simply create two phase2 entries. How do we accomplish that with Routed IPsec?


  • Rebel Alliance Developer Netgate

    Unfortunately, NAT won't work with routed IPsec so you might be a bit of a bind there. It's an issue in FreeBSD with how if_ipsec and pf interact.

    For the larger issue there, you don't setup P2 entries with routed IPsec like that. You just setup static routes, and send the traffic through the tunnel. The far side should still accept the connection as long as the networks passing through match what it expects.

    Normally you'd want to do routed on both ends, however, not just one.