Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec Tunnel between WAN interface and single public IP address without GRE tun

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 782 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      poma187
      last edited by

      I was trying to figure out the best way to set this scenario up:

      LAN subnet<–->LAN INT<pfsense>WAN INT<--------[IPSEC TUNNEL]–------>ETH0 <debian box="">Definitions:
      LAN Net: 172.16.1.0/24
      LAN Int: 172.16.1.1
      WAN Int: a public ip address (lets call it 100.100.100.100)
      ETH0: a public IP address (lets call it 200.200.200.200)
      Outbound NAT rules are set up to send egress traffic to 0.0.0.0/0 out the WAN interfae

      The application I am trying to reach on the debian box requires that the dest IP header be ETH0.  I figured that this could be done with a transport mode ipsec tunnel.  I set that up and traffic between the debian box and the local pfsense box is properly encrypted, however traffic from the LAN subnet to eth0 on the debian box is not encrypted.  I understand a GRE tunnel could be created and a route could be set up to forward traffic over the GRE tunnel to the debian box [while being encrypted via ipsec], but I am wondering if I can simply send the traffic encrypted directly via the IPsec tunnel forgoing the GRE tunnel entirely.

      I tried setting up the IPsec tunnel in 'tunnel' mode but when I put the remote network address in the phase 2 settings, I cannot use the phase 1 remote IP address as the phase 2 dest. remote network.  This is probably plainly wrong but this is also why I am posting this :)

      My apologies if this has been asked and answered in the past.  I did several searches and couldn't immediately find anything related to this.  If anyone has any suggestions I would appreciate it.</debian></pfsense>

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.