Route one site over IPsec

  • Howdy All!

    I was reading the excellent instructions: Routing Internet Traffic Through a Site-to-Site IPsec VPN but I have a different use case.

    I need to route only one Website/IP over the IPsec tunnel. It's actually kind of the reverse, my new main office ("Site B" in the doc) is not whitelisted on a supplier portal and therefore, not reachable. My old office (still in use with its old, whitelisted IP, but no longer the main ISP connection). We have submitted a ticket to site owner, but the guy who can make the changes is not available for some time.

    Problem is: My new main office ("Site B") has several IPsec Tunnels and several Phase 2 setups to distinct private networks (several other "Site A" sites all with distinct LANs). All need to communicate with the DCs and Exchange Server at Site B.

    I am not opposed to routing all internet traffic to our old office for a while, but as I read the instructions, by creating a Phase 2 with - I would effectively eliminate all my other Phase 2 connections.

    How can I get just one site/IP to route from Site B through the tunnel and use the internet at one of the Site A's? Sonicwall has a solution, but I need to know how in pfSense?

    THX in ADV,

  • You could do this by setting up a VTI based IPSEC tunnel between both sites, and then routing the IP address of the websites you want to reach over the tunnel.
    Docs here:

  • @awebster so what you are suggesting is that I would create the VTI Phase 2 in addition to the normal Phase 2 from Site B to the Site A WAN I would want to use?

  • @unsichtbarre No, I don't think you can create a phase 2 VTI and a legacy phase 2 under the same phase 1.
    You would need to create a new VTI based IPSEC tunnel between sites A and B and use that exclusively.
    Although it might be possible to run parallel IPSEC tunnels if the endpoint IP is different at one end or the other.

Log in to reply