Multiple subnets between pfsense and cisco



  • I think this may be a limitation on cisco's side but here's the problem:

    site a:  pfsense 1.2.x
    10.30.0.0/16

    site b: cisco pix 525
    192.168.40.0/24
    10.40.0.0/16

    We're in the process of migrating from 192 network to 10 network.  In the meantime though both networks need to be able to communicate to site a at the same time.  The two networks are setup fine on site b and had internet connectivity.  The problem happened when trying to setup the ipsec tunnel between 10.40 and site a.  The Pix 525 only supports a single identifier per interface.  Since there's only one outside interface that means all ipsec connections use the public ip of the firewall.  This isn't a big issue though since you assign an access-list that has multiple subnets on it and it should work (never tested on anything besides pfsense as prior cisco site to site was just a single subnet).  But in pfsense you can only assign one subnet so what I think was happening was site b knew what traffic to send to site a but site a didn't know how to send traffic to the new 10.40 network.  I tried duplicating the current config in pfsense and changing the subnet and as you can guess it didn't work.  I looked at the documentation on multiple subnets but it won't work for me because I can't specify different identifiers on the cisco side.

    The only option I can think of now is do a full network switch at like 4AM and just change everything over to new subnet and eliminate the need of two subnets.  While definitely a possibility it's not prefable since a lot of services depend on these and I have to ensure all those are updated.  Although the more I think about the more this looks like the way I'm going to go unless there's some other way.



  • If I understand it correctly, you have a working tunnel between the 2 sites (A & B) for the class A subnet. If this is the case, to resolve the routing issue you may want to try:

    1. add a static route on your pfSense box

    OR

    2. Enable RIP on both routers (providing that RIP is supported on both routers via IPsec tunnel)



  • After reviewing my previous input, I glanced over the pfSense Definitive Guide and found this:

    "Static routes will not route traffic over an IPsec connection, never configure static routes for any IPsec traffic except in the case of traffic initiated from pfSense itself."

    And that "The only option if the subnets are not contiguous is to create parallel IPsec tunnels, 1 for each subnet."

    The quoted info above can be found in section 13.4.3 (Routing multiple subnets over IPsec) of the Definitve Guide.

    That said, cosolidating your existing class A and C subnets seems to be the only solution.


Log in to reply