Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing across IPSec Tunnels

    Scheduled Pinned Locked Moved IPsec
    6 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      iammist
      last edited by

      I have a tunnel between pfsense box (192.168.100.0/24) and a palo alto (172.17.16.0/24). The tunnel works great between the 2 subnets, however there is an extra subnet on the palo alto side that we need to reach. I'm used to being able to add a route which describes its gateway as a specific IPSec tunnel, but the only options I have under Static Routes for this are my external interface, internal gateway, loopback. How do I tell pfsense that this third network is through the IPSec tunnel?

      1 Reply Last reply Reply Quote 0
      • I
        iammist
        last edited by

        Hi all,

        I found the below article, which is the answer to my question. However, I'm not sure the device the other side allows multiple phase 2's and the Supernetting option won't work either due to the subnets being so different.

        https://doc.pfsense.org/index.php/IPsec_with_Multiple_Subnets

        Is there no other way around this?

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          That's how IPsec functions, the other side has to know about the additional subnets as well. It may not be configured in the same manner as ours, where we show that they're actually separate and allow separate configs, but there will at least be an option to include multiple local and remote subnets in the P2 config on any worthwhile IPsec device. That's functionally equivalent.

          1 Reply Last reply Reply Quote 0
          • I
            iammist
            last edited by

            I've attached the Status > IPSec and VPN > IPSec screenshots. Also, the logs for IPSec. We've stabilized the original tunnel now with the extra phase 2. But still unable to get the second subnet up. Thanks in advance.

            VPN_IPSec.JPG_thumb
            VPN_IPSec.JPG
            Status_IPSec.JPG_thumb
            Status_IPSec.JPG

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              Key part: "charon: 16[IKE] received ATTRIBUTES_NOT_SUPPORTED error notify"

              The other end is sending back ATTRIBUTES_NOT_SUPPORTED, the question is why. If both your P2s are identically configured with the exception of the different networks, it's a config issue of some sort on the remote end.

              1 Reply Last reply Reply Quote 0
              • I
                iammist
                last edited by

                Yes, saw that. You know that the device the other end only has 1 x P2 configured? Most devices don't have the ability to setup multiple phase 2's, Cyberoam, Sophos UTM, vShield, Palo Alto, they all just allow multiple subnets within the single P2 config or as a route using the tunnel as the gateway. If you were already clear on that, I'm not sure what the answer is. As the 2 x P2 on the pfSense box has identical settings, apart from the subnet.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.