IPsec P2P with rules for non-connected networks?

  • I've successfully set up an IPsec tunnel between two pfSense boxes at different locations.  If I set up the Phase 2 entries to allow the LAN subnets on both sides to talk, that works fine.

    However, I'd like to set it up so two NON-connected IPs can pass through the VPN.  Not Internet traffic, just two specific IPs, like this: - -(Internet)- -

    So, in that example above, I want to allow traffic between and  However, if I create the Phase 2 entries, I never get the little connect icon in Status - IPsec, just the yellow status.  In the IPsec logs I get Unknown Gateway/Dynamic errors.

    I guess I'm not sure what to do - I know it's possible to allow more than just the LAN subnet traffic through (for instance, for all traffic), so why not specific non-connected IPs?  I do have routes on each pfSense box to reach those 172.20.x IPs that are behind routers on their respective LAN subnets.

    So, any suggestions?  If this has been answered elsewhere, I apologize.  I did do some searching before I posted this.


  • Well, I seem to have made this work… I'm not entirely sure how, though.  I deleted all the SPDs on both sides, recreated the Phase 2 rules, and then sent some ICMP traffic from one side to the other, and the tunnel was built.  Even though I had no connect button on either pfSense box, it still came up when traffic appeared.

    So, lesson learned!

Log in to reply