Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Route-Based IPSec vs Wireguard Tunnel Subnet Choice for S2S VPN

    Scheduled Pinned Locked Moved IPsec
    s2sipsecwireguardvpn
    5 Posts 2 Posters 350 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      algo7
      last edited by algo7

      In the official Negate Doc for WireGuard S2S VPN, a /31 tunnel subnet is recommended, but for route-based IPSec S2S a /30 subnet is recommended. Both of them are point-to-point connections, is there a specific reason that route-based IPSec needs a /30 subnet while WireGuard only needs /31?

      https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/routed-vti.html

      https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-s2s.html

      I did a lot of googling + asking some LLM models but I couldn't find a definitive answer nor logical explanation.

      G 1 Reply Last reply Reply Quote 0
      • G
        Gblenn @algo7
        last edited by

        @algo7 said in Route-Based IPSec vs Wireguard Tunnel Subnet Choice for S2S VPN:

        https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-s2s.html

        I don't see the word "recommended" anywhere, and I know both will work fine in Wireguard at least. Perhaps there are implementations of IPSec that require /30, but I don't know.

        The main difference I guess is the lack of broadcast channel in a /31 subnet. And there might be situations when you actually want a broadcast channel in your setup.
        Say if you want to send WoL across the VLAN's or you have a printer that uses broadcast for discovery, or some IoT devices.

        A 1 Reply Last reply Reply Quote 0
        • A
          algo7 @Gblenn
          last edited by

          @Gblenn the doc just says use /30 for route-based IPSec and /31 for WG. Perhaps my wordings in the aren't the best.

          So technically if there is no situation or device that will make use of the broadcast addr, one can do a S2S without it. I just setup 2 pfSenses for testing, will get back with the result regarding using /32 for route-based IPsec.

          G 1 Reply Last reply Reply Quote 0
          • G
            Gblenn @algo7
            last edited by

            @algo7 That should work as well, as long as they both belong to the same subnet, like 10.10.10.1/32 and 10.10.10.2/32 for the two endpoints. Can't remember how much of the gateway you need to set up manually... But in this case you might have to make some tweaks to make sure you have the correct IP set at each endpoint.

            A 1 Reply Last reply Reply Quote 0
            • A
              algo7 @Gblenn
              last edited by

              @Gblenn

              Just tested it with /31 and it works. For route-based IPsec the gateway is created automatically when you assign the tunnel to an interface. I haven't tried with /32 tho. But I tried with larger subnet like /24. I guess it's like what you said, as long as they are on the same subnet it will work. Just that for point-to-point connection with a single transit network it doesn't make sense to use something larger that contains more than 2 IPs.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.