Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Route one site over IPsec

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 490 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      unsichtbarre
      last edited by

      Howdy All!

      I was reading the excellent instructions: Routing Internet Traffic Through a Site-to-Site IPsec VPN but I have a different use case.

      I need to route only one Website/IP over the IPsec tunnel. It's actually kind of the reverse, my new main office ("Site B" in the doc) is not whitelisted on a supplier portal and therefore, not reachable. My old office (still in use with its old, whitelisted IP, but no longer the main ISP connection). We have submitted a ticket to site owner, but the guy who can make the changes is not available for some time.

      Problem is: My new main office ("Site B") has several IPsec Tunnels and several Phase 2 setups to distinct private networks (several other "Site A" sites all with distinct LANs). All need to communicate with the DCs and Exchange Server at Site B.

      I am not opposed to routing all internet traffic to our old office for a while, but as I read the instructions, by creating a Phase 2 with 0.0.0.0/0 - I would effectively eliminate all my other Phase 2 connections.

      How can I get just one site/IP to route from Site B through the tunnel and use the internet at one of the Site A's? Sonicwall has a solution, but I need to know how in pfSense?

      THX in ADV,
      -JB

      1 Reply Last reply Reply Quote 0
      • awebsterA
        awebster
        last edited by

        You could do this by setting up a VTI based IPSEC tunnel between both sites, and then routing the IP address of the websites you want to reach over the tunnel.
        Docs here: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ipsec-routed.html

        –A.

        U 1 Reply Last reply Reply Quote 1
        • U
          unsichtbarre @awebster
          last edited by

          @awebster so what you are suggesting is that I would create the VTI Phase 2 in addition to the normal Phase 2 from Site B to the Site A WAN I would want to use?

          awebsterA 1 Reply Last reply Reply Quote 0
          • awebsterA
            awebster @unsichtbarre
            last edited by

            @unsichtbarre No, I don't think you can create a phase 2 VTI and a legacy phase 2 under the same phase 1.
            You would need to create a new VTI based IPSEC tunnel between sites A and B and use that exclusively.
            Although it might be possible to run parallel IPSEC tunnels if the endpoint IP is different at one end or the other.

            –A.

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.