Routing over an ipsec tunnel


  • I come from an ASA world and I know this works with it. Now I am in a virtual world and am putting up virtual routers and firewalls. So enter pfsense…

    I have an office subnet 192.168.1.0 connected to a VPN tunnel to the main office at 192.168.9.0. The main office can access many other offices via the routed mpls network behind the 192.168.9.0 network. With an ASA at the remote office I can allow the 192.168.1.0 network to talk to all the networks behind the main office network. I can also let the other offices "use" the tunnel from the main office to the remote vpn location.

    Can I do this with pfsense at the remote office (192.168.1.0)?


  • Hi
    At a guess, pfSense v2 supports multiple Phase 2 connections through ipsec. I assume this is so you can tunnel to multiple subnets through one ipsec tunnel.

    Alternatively if all of the other destinations are on  a 192.168.xxx.xxx subnet you could use 192.168.0.0/16 as the remote subnet on the pfsense at the remote site. This would route all of the traffic to 192.168.xxx.xxx over the tunnel.

  • Rebel Alliance Developer Netgate

    Multiple phase 2's is what you are after.

    The ASA can't route over IPsec any more than pfSense can when it comes to IPsec in tunnel mode.

    If you add subnets to the ACL for a tunnel on the ASA, it's the equivalent of adding another phase 2 entry on pfSense.

    For true "routing" over IPsec, you'd need to run IPsec in transport mode with a GIF tunnel on top of that and route however you like across the GIF interface. Or just switch to OpenVPN and route however you like.


  • Thanks, this is what I needed to know. I downloaded v2 and have not yet installed it. I like the nat-t support and the ability to add more than 1 phase 2. Thanks again