Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing to additional subnet over IPsec VPN

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mav137
      last edited by

      Hey guys,

      I'm having some trouble with a situation where I need to configure a route to a second subnet that is on the other end of a IPsec VPN.
      The VPN is between 2 datacenters. My side is the PFsense box and the other side is a Cisco ASA.

      The VPN is working well. Traffic is flowing nicely between the 2 primary subnets that are configured.
      When I add another subnet (or to be specific, a /32 IP address) in the phase2 config of the PfSense box. It doesn't seem to route the traffic over the VPN.

      This thread explains that the ASA should have the second subnet in it's ACL. https://forum.pfsense.org/index.php?topic=36579.0
      The engineer of the ASA confirmed this is the case.

      I'm more of a traditional routing guy and I have the urge to manually set up the routes with a next hop of the other side, but PfSense does not allow this.

      Does anyone has any ideas on how to troubleshoot this?

      1 Reply Last reply Reply Quote 0
      • M
        mav137
        last edited by

        Will fix this by setting up another VPN tunnel to a another PfSense box directly connected to the secondary segment.

        Would like to know if anyone has this functioning in a similar scenario.

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          You don't route across IPsec. Just need to make sure the additional P2 matches, if IKEv1. For IKEv2, ASAs don't support multiple selectors in the same TS payload yet, so that won't work. We'll implement a workaround likely in 2.3 to accommodate that, as Cisco doesn't seem to be implementing that any time soon.
          https://redmine.pfsense.org/issues/4704

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.