IPsec site to site and multiple networks



  • Hi good people!

    I do not have any experience configuring IPSec tunnels.

    From what I have read I understand that I must create as many phase 2 as necessary to include non summariazable networks.

    Why does this have to be this way? Is this pfsense specific or just the way IPSec works?

    I saw some videos about fortinet and other vendors where it was only necessary to create routes.

    Thank you!


  • Rebel Alliance Developer Netgate

    It's necessary in most every IPsec device but the methods are different.

    Some define the Phase 2 networks as we do. Ethers define them using ACLs, policies, or "routes" of sorts – no matter what you need to have a list of networks to allow on your side and IPsec destinations on the far side. Some try to automate or hide parts of it, but it makes diagnosing tunnel issues much more difficult than it needs to be.

    In the future it may be simplified somewhat by using aliases for Phase 2 networks, but that isn't possible yet.


Log in to reply