network subnet access between multiple tunnel

  • Dear All,
    Kindly help me
    i have pfsense at azure cloud
    i have two ipsec tunnels with pfsense
    Let me describe this:
    site A-----ipsec tunnel------>pfsense
    Site B-----ipsec tunnel------>pfsense
    site A subnet:
    site B subnet:

    I can ping from pfsense directly but

    I am at site A subnet and i can reach pfsense but i want to reach site B subnet like this:

    Site A-------ipsec---------->pfsense------------ipsec------------->site B

    how i can do this?
    In ipsec status packets are comming out but no comming in
    Kindly help me i am in trouble

  • So add a phase 2 to each IPSec tunnel, each on both sides.

    On site A:
    Local network:
    Remote network:
    Do the same on pfSense A tunnel, but with inverted networks.

    On B:
    Local network:
    Remote network:
    And also again on the pfSense with exchanging the networks.

  • @viragomann Thanx i will add and let u know if get sucess

  • You may have to redesign your vpn tunnels to use Virtual tunnel interfaces (VTI's). then you can route between sites.

  • Netgate Administrator

    You can carry that traffic with policy based IPSec as long as you have policies that match the traffic across each link.
    Exactly like viragomann laid out.


  • @stephenw10 said in network subnet access between multiple tunnel:

    ch the traffic across e

    Dear Sir,
    But how i can use policy based routing?
    Will i use tunnel mode as routed vti?

  • @viragomann Is it possible without adding phase as i dont have access on other site so can i use nat binat?

  • Netgate Administrator

    So you have access to Site A and the Azure pfSense only? And can make changes to both?

    Are the firewalls at sites A and B also pfSense?


  • @stephenw10 No Sir i don't have access to other site and both site are not pfsense
    Can you guide me when to use nat option?

  • Netgate Administrator

    Are you at site A trying to reach site B?

    You could add a second P2 on pfSense to Site B and NAT traffic to a single IP inside the subnet it expects. That might work depending on what's on the other end. But it might not.

    You would still need to get the traffic from site A to Azure though and that would require an extra P2 at both ends.

    You could instead use a proxy of some sort running in Azure. Even something like an OpenVPN server there would allow you to reach Site B.


  • @stephenw10 Please Stephen help me to solve this issue
    My design is:

    clients----ipsec tunnel------>pfsense connected
    Pfsense----------------ipsec tunnel---------------->azure cloud connected
    i have zabbix nms at azure that is using 90.11.x.x subnet
    Pfsense is using 90.14.x.x subnet
    90.11.x.x subnet<---------------peering---------------->pfsense 90.14.x.x
    90.11.x.x subnet<---------------ipsec tunnel--------->pfsense 90.14.x.x

    Now i want that zabbix 90.11.x.x can reach to our clients LAN and monitor networks that are connected directly with pfsense currently

    I dont want to add phase at client end as i don't have access

    How i can establish connectivity like given below:

    AZURE Cloud 90.11.x.x subnet<----------ipsec tunnel-------->pfsense 90.14.x.x---------------<ipsec tunnels>----------clients

    Plz help me to resolve this issue
    Thanks in advance

  • Netgate Administrator

    @hasan_ciit said in network subnet access between multiple tunnel:

    i have pfsense at azure cloud

    @hasan_ciit said in network subnet access between multiple tunnel:

    i have zabbix nms at azure

    Are both those things true?

    Without adding any additional P2s anywhere or using some sort of proxy at the pfSense site I don't think this is possible.

    Even with adding one P2 you could NAT the connection on one leg but that would then only allow opening connections in one direction and I believe Zabbix usually requires both.