Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC VPN and route traffic between Tunnels.

    Scheduled Pinned Locked Moved IPsec
    9 Posts 3 Posters 7.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      ggiants81
      last edited by

      Hi there.
      Is it possible for Pfsense to for instance have two ipsec tunnels , like A and B where A remote network is 10.10.10.0/24 and B remote network is 10.10.11.0/24 so that remote net A can reach remote net B through the IPSEC tunnel to pfsense ? Like a hub and spoke .

      1 Reply Last reply Reply Quote 0
      • M
        Matthias
        last edited by

        Should be possible. Just set up static or dynamic routing. I'll set up a little scenario to explain.

        We have routers RA, RB, and RC. RA will be the hub and RB and RC will be the spokes.

        RB has local network 10.10.10.0/24
        RC has local network 10.10.11.0/24

        Setup your IPSec site-to-site between RA to RB and RA to RC.

        Now all the routers need to know how to get to each network. This is where the static routes come in (or dynamic if you want to set up RIP or OSPF)

        RB needs to know how to get to the 10.10.11.0/24 network so create a static route pointing to 10.10.11.0/24 and set the next hop to RA's IPSec tunnel interface.

        RC is set up in the same way as RB just point to 10.10.10.0/24 and use RA's IPSec tunnel interface on that side.

        RA needs to know how to get to both networks so it can forward traffic either way.

        Set up two static routes much like the ones you set up for RB and RC but use RB and RC's respective IPSec tunnel interfaces as the next hop address.

        1 Reply Last reply Reply Quote 0
        • G
          georgeman
          last edited by

          Regular static routing doesn't work with IPsec tunnels due to the way it is hooked to the system kernel.

          In order to achieve this, you need to create an additional Phase2 on A and B, with "remote network" set as the opposite site subnet ;)

          If it ain't broke, you haven't tampered enough with it

          1 Reply Last reply Reply Quote 0
          • M
            Matthias
            last edited by

            Thanks for the added info george. I've never tried this myself. I was just going off what I know about networking. It should also be noted that dynamic routing won't work without a GRE tunnel because IPSec does not pass broadcast traffic.

            1 Reply Last reply Reply Quote 0
            • G
              ggiants81
              last edited by

              Thanks for the feedback guys. So Basically I only need to add Phase 2 entries for the networks that want to reach each other, is that correct?

              1 Reply Last reply Reply Quote 0
              • G
                georgeman
                last edited by

                Correct

                If it ain't broke, you haven't tampered enough with it

                1 Reply Last reply Reply Quote 0
                • G
                  ggiants81
                  last edited by

                  Just to tweak things even more.. Is it possible to do NAT in the tunnels aswell? , Like NAT tunnel network  from RB when it accesses RC via RA ?

                  1 Reply Last reply Reply Quote 0
                  • M
                    Matthias
                    last edited by

                    I believe you select that in Phase 2 as NAT/BINAT

                    1 Reply Last reply Reply Quote 0
                    • G
                      georgeman
                      last edited by

                      Should be possible in 2.1 (I haven't tested it yet)

                      If it ain't broke, you haven't tampered enough with it

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.