Routing across IPSec Tunnels

  • I have a tunnel between pfsense box ( and a palo alto ( The tunnel works great between the 2 subnets, however there is an extra subnet on the palo alto side that we need to reach. I'm used to being able to add a route which describes its gateway as a specific IPSec tunnel, but the only options I have under Static Routes for this are my external interface, internal gateway, loopback. How do I tell pfsense that this third network is through the IPSec tunnel?

  • Hi all,

    I found the below article, which is the answer to my question. However, I'm not sure the device the other side allows multiple phase 2's and the Supernetting option won't work either due to the subnets being so different.

    Is there no other way around this?

  • That's how IPsec functions, the other side has to know about the additional subnets as well. It may not be configured in the same manner as ours, where we show that they're actually separate and allow separate configs, but there will at least be an option to include multiple local and remote subnets in the P2 config on any worthwhile IPsec device. That's functionally equivalent.

  • I've attached the Status > IPSec and VPN > IPSec screenshots. Also, the logs for IPSec. We've stabilized the original tunnel now with the extra phase 2. But still unable to get the second subnet up. Thanks in advance.

  • Key part: "charon: 16[IKE] received ATTRIBUTES_NOT_SUPPORTED error notify"

    The other end is sending back ATTRIBUTES_NOT_SUPPORTED, the question is why. If both your P2s are identically configured with the exception of the different networks, it's a config issue of some sort on the remote end.

  • Yes, saw that. You know that the device the other end only has 1 x P2 configured? Most devices don't have the ability to setup multiple phase 2's, Cyberoam, Sophos UTM, vShield, Palo Alto, they all just allow multiple subnets within the single P2 config or as a route using the tunnel as the gateway. If you were already clear on that, I'm not sure what the answer is. As the 2 x P2 on the pfSense box has identical settings, apart from the subnet.

Log in to reply