IPsec tunnel to WAN port only

  • Hoping someone can help. I have read every artical on the internet in relation to pfsense an ipsec.
    Getting a basic IPsec tunnel going i can do but this one is more complicated.
    Problem is every guide or manual i can find assumes both ends are running a LAN interface.

    We have a VPS in the UK running Pfsense, that we are trying to get a IPSEC tunnel connected to our local LAN which is also running PFsense.
    It only has a WAN interface and no LAN interface.
    We want to be able to access files on the VPS it self and use as a offsite storage as well as redirect selected internet traffic out via this box.

    For the life of me i can't get this going and no one no matter how many IT people i speak to can help.

    Can anyone please help or put me in the right direction?

    Assuming the below:
    VPS: WAN ip
    Remote site WAN:

  • "Regular" IPsec won't work unless you tamper with the remote box and set the proper Phase2 on the VPS. Are you able to do this?

    Probably it is set up to provide a mobile IPsec connection. I really don't know if your local pfSense can act as a "client" of such configuration. In any case, the "redirect selected internet traffic out via this box" part might get troublesome. With IPsec you cannot really add static routes or use policy based routing.

    Considering the other end is also pfSense, I would suggest to find the way to setup OpenVPN instead

  • I'm in control of both PFsense boxes. So can change any setting required.

    This is something that needs to be setup and is not working at present.

    The VPS pfsense box is a install of pfsense currently waiting for me to get it working.

    What is different with the mobile option in pfsense vs a normal ipsec tunnel?

    I've read a bit about  OpenVPN but don't get why this is more popular. Wouldn't it just rely on normal IPSEC policy like normal?

  • OpenVPN and IPsec are completely different technologies.

    What matters here to you is the ability to selectively route internet traffic through the tunnel, which you cannot do on IPsec but you can with OpenVPN. So I suggest to forget about IPsec for this project. I am not an OpenVPN expert (yet?), so you better post on its subforum if you have any questions on how to set it up (shouldn't be difficult anyway).

  • Can i not set a virtual interface with a internal range on the remote VPS box and then use normal VPN this way?

  • By "normal VPN" you mean IPsec?

    You will be able to access the VPS and its subnet through IPsec, but you won't be able to route internet traffic through it. It has to do with the way in which racoon hooks up to the FreeBSD kernel. Routes are not defined as regular routes with IPsec endpoints, but with Phase2 definitions. Each Phase2 hooks up one subnet. If you create a Phase2 with subnet, you will be effectively routing all traffic through it. But you cannot use policy based routing to selectively route traffic.

  • Thankyou for the explanation. Makes sense now.

    Would IPSEC mobile work as I assume that is like a pptp VPN connection where you become part of local network and everything routes out from there on that machine.

  • You REALLY don't like OpenVPN right? :P

    Let's put this very simple:

    • If you want to be able to selectively route internet traffic through the link, **forget about IPsec ***

    • If you really want to use IPsec, you will be able to access the VPS and its subnet with no problems. Just create a regular Phase1, and then an appropriate Phase2 which links the subnets. Allow all traffic on the IPsec "interface" on the firewall rules, and you are done


    • Disclaimer, just to be technically correct, hehe: actually you could route some internet traffic if you manage to know the certain IP address/ranges that those sites utilize, by creating a Phase2 on both firewalls, with that subnet. Even if you could do it, it will be waay too cumbersome for something that you can easily achieve with an OpenVPN tunnel

Log in to reply