Routing to additional subnet over IPsec VPN



  • Hey guys,

    I'm having some trouble with a situation where I need to configure a route to a second subnet that is on the other end of a IPsec VPN.
    The VPN is between 2 datacenters. My side is the PFsense box and the other side is a Cisco ASA.

    The VPN is working well. Traffic is flowing nicely between the 2 primary subnets that are configured.
    When I add another subnet (or to be specific, a /32 IP address) in the phase2 config of the PfSense box. It doesn't seem to route the traffic over the VPN.

    This thread explains that the ASA should have the second subnet in it's ACL. https://forum.pfsense.org/index.php?topic=36579.0
    The engineer of the ASA confirmed this is the case.

    I'm more of a traditional routing guy and I have the urge to manually set up the routes with a next hop of the other side, but PfSense does not allow this.

    Does anyone has any ideas on how to troubleshoot this?



  • Will fix this by setting up another VPN tunnel to a another PfSense box directly connected to the secondary segment.

    Would like to know if anyone has this functioning in a similar scenario.



  • You don't route across IPsec. Just need to make sure the additional P2 matches, if IKEv1. For IKEv2, ASAs don't support multiple selectors in the same TS payload yet, so that won't work. We'll implement a workaround likely in 2.3 to accommodate that, as Cisco doesn't seem to be implementing that any time soon.
    https://redmine.pfsense.org/issues/4704


Log in to reply