Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2 tunnels : same remote config, but 2 different local subnets

    Scheduled Pinned Locked Moved IPsec
    5 Posts 3 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      Guest
      last edited by

      Hello,

      I have two IPSEC tunnels created.

      The remote parameters for both tunnels are exactly the same.

      The only difference between the 2 tunnels is the local subnet. First tunnel is for local subnet 192.168.1.0, second tunnel is for local subnet 192.168.2.0

      They both look ON (green) on the Ipsec Overview Status.

      But I always have the following error message :


      racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 10.76.20.92/32[0] proto=any dir=out
      racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 10.76.20.92/32[0] proto=any dir=out
      racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.1/32[0] 192.168.1.0/24[0] proto=any dir=out
      racoon: ERROR: such policy already exists. anyway replace it: 10.76.20.92/32[0] 192.168.2.0/24[0] proto=any dir=in
      racoon: ERROR: such policy already exists. anyway replace it: 10.76.20.92/32[0] 192.168.1.0/24[0] proto=any dir=in
      racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.1/32[0] proto=any dir=in


      Does pfsense allow to create tunnels that similar (i mean tunnels that differ only with local subnet) ?

      And if so, will these errors message "lead" to some communication errors ?

      Thank you.

      (pfsense 1.2)

      1 Reply Last reply Reply Quote 0
      • H
        heiko
        last edited by

        from the same wan ip with a different subnet on one side you need different FQDN´s. Parallel Tunnel with the same WAN IP runs only in the aggressive mode. The FQDN Name is your free choice….

        Example:

        192.168.6.0/24 ----> FQDN : dmz@pfsense.org --> 192.168.10.0/24 (Same WAN IP)
        192.168.6.0/24 -----> FQDN : lan@pfsense.org --> 192.168.20.0/24 (Same WAN IP)

        1 Reply Last reply Reply Quote 0
        • C
          cybercare
          last edited by

          Sorry if this is dumb question but I am doing the same thing and was looking for a little more details.

          I have the following:

          MAN1 going to pfsense WAN w/ lan 172.16.22.0
          MAN1 going to pfsense WAN w/ lan2 10.50.75.0

          The MAN1 has one pub IP and one lan subnet, the WAN on other end has 2 lan subnets.

          I tried to set the pfsense side that had 2 lan subnets to use My identifier: User FQDN: casa@mydomain.com on the first one and phones@mydomain.com on the second one however the VPN's went down and stayed dead. Do I need to set the other side to match on the User FQDN or did I miss something?

          I am running 1.2final,

          Thx

          1 Reply Last reply Reply Quote 0
          • H
            heiko
            last edited by

            Yes, you need on both endpoint the same FQDN-identifier but different lan subnets, that´s the trick

            1 Reply Last reply Reply Quote 0
            • C
              cybercare
              last edited by

              So because only 1 end has multi subnets this wont work? or am I missunderstanding and so long as I use FQDN and they match on both sides for both tunnels (each tunnel uniq FQDN of course) I am good?

              One end has 1 pub and 1 lan subnet, other has 1 pub and 2 lan subnets.

              Right now I have the original posters problem but they do work, just is a mess.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.