<![CDATA[Routing across IPSec Tunnels]]>I have a tunnel between pfsense box (192.168.100.0/24) and a palo alto (172.17.16.0/24). The tunnel works great between the 2 subnets, however there is an extra subnet on the palo alto side that we need to reach. I'm used to being able to add a route which describes its gateway as a specific IPSec tunnel, but the only options I have under Static Routes for this are my external interface, internal gateway, loopback. How do I tell pfsense that this third network is through the IPSec tunnel?

]]>https://forum.netgate.com/topic/82767/routing-across-ipsec-tunnelsRSS for NodeTue, 16 Jun 2026 13:02:29 GMTTue, 14 Apr 2015 05:41:05 GMT60<![CDATA[Reply to Routing across IPSec Tunnels on Fri, 17 Apr 2015 01:18:00 GMT]]>Yes, saw that. You know that the device the other end only has 1 x P2 configured? Most devices don't have the ability to setup multiple phase 2's, Cyberoam, Sophos UTM, vShield, Palo Alto, they all just allow multiple subnets within the single P2 config or as a route using the tunnel as the gateway. If you were already clear on that, I'm not sure what the answer is. As the 2 x P2 on the pfSense box has identical settings, apart from the subnet.

]]>https://forum.netgate.com/post/537195https://forum.netgate.com/post/537195Fri, 17 Apr 2015 01:18:00 GMT<![CDATA[Reply to Routing across IPSec Tunnels on Fri, 17 Apr 2015 00:46:06 GMT]]>Key part: "charon: 16[IKE] received ATTRIBUTES_NOT_SUPPORTED error notify"

The other end is sending back ATTRIBUTES_NOT_SUPPORTED, the question is why. If both your P2s are identically configured with the exception of the different networks, it's a config issue of some sort on the remote end.

]]>https://forum.netgate.com/post/537179https://forum.netgate.com/post/537179Fri, 17 Apr 2015 00:46:06 GMT<![CDATA[Reply to Routing across IPSec Tunnels on Tue, 21 Apr 2015 03:54:19 GMT]]>I've attached the Status > IPSec and VPN > IPSec screenshots. Also, the logs for IPSec. We've stabilized the original tunnel now with the extra phase 2. But still unable to get the second subnet up. Thanks in advance.

VPN_IPSec.JPG_thumb
VPN_IPSec.JPG
Status_IPSec.JPG_thumb
Status_IPSec.JPG

]]>https://forum.netgate.com/post/537176https://forum.netgate.com/post/537176Tue, 21 Apr 2015 03:54:19 GMT<![CDATA[Reply to Routing across IPSec Tunnels on Thu, 16 Apr 2015 05:19:38 GMT]]>That's how IPsec functions, the other side has to know about the additional subnets as well. It may not be configured in the same manner as ours, where we show that they're actually separate and allow separate configs, but there will at least be an option to include multiple local and remote subnets in the P2 config on any worthwhile IPsec device. That's functionally equivalent.

]]>https://forum.netgate.com/post/536783https://forum.netgate.com/post/536783Thu, 16 Apr 2015 05:19:38 GMT<![CDATA[Reply to Routing across IPSec Tunnels on Wed, 15 Apr 2015 22:11:07 GMT]]>Hi all,

I found the below article, which is the answer to my question. However, I'm not sure the device the other side allows multiple phase 2's and the Supernetting option won't work either due to the subnets being so different.

https://doc.pfsense.org/index.php/IPsec_with_Multiple_Subnets

Is there no other way around this?

]]>https://forum.netgate.com/post/536694https://forum.netgate.com/post/536694Wed, 15 Apr 2015 22:11:07 GMT