Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing over an ipsec tunnel

    Scheduled Pinned Locked Moved IPsec
    4 Posts 3 Posters 11.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tubular031
      last edited by

      I come from an ASA world and I know this works with it. Now I am in a virtual world and am putting up virtual routers and firewalls. So enter pfsense…

      I have an office subnet 192.168.1.0 connected to a VPN tunnel to the main office at 192.168.9.0. The main office can access many other offices via the routed mpls network behind the 192.168.9.0 network. With an ASA at the remote office I can allow the 192.168.1.0 network to talk to all the networks behind the main office network. I can also let the other offices "use" the tunnel from the main office to the remote vpn location.

      Can I do this with pfsense at the remote office (192.168.1.0)?

      1 Reply Last reply Reply Quote 0
      • G
        Gob
        last edited by

        Hi
        At a guess, pfSense v2 supports multiple Phase 2 connections through ipsec. I assume this is so you can tunnel to multiple subnets through one ipsec tunnel.

        Alternatively if all of the other destinations are on  a 192.168.xxx.xxx subnet you could use 192.168.0.0/16 as the remote subnet on the pfsense at the remote site. This would route all of the traffic to 192.168.xxx.xxx over the tunnel.

        If I fix one more thing than I break in a day, it's a good day!

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          Multiple phase 2's is what you are after.

          The ASA can't route over IPsec any more than pfSense can when it comes to IPsec in tunnel mode.

          If you add subnets to the ACL for a tunnel on the ASA, it's the equivalent of adding another phase 2 entry on pfSense.

          For true "routing" over IPsec, you'd need to run IPsec in transport mode with a GIF tunnel on top of that and route however you like across the GIF interface. Or just switch to OpenVPN and route however you like.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • T
            tubular031
            last edited by

            Thanks, this is what I needed to know. I downloaded v2 and have not yet installed it. I like the nat-t support and the ability to add more than 1 phase 2. Thanks again

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.