IPsec Tunnel between WAN interface and single public IP address without GRE tun

  • I was trying to figure out the best way to set this scenario up:

    LAN subnet<–->LAN INT<pfsense>WAN INT<--------[IPSEC TUNNEL]–------>ETH0 <debian box="">Definitions:
    LAN Net:
    LAN Int:
    WAN Int: a public ip address (lets call it
    ETH0: a public IP address (lets call it
    Outbound NAT rules are set up to send egress traffic to out the WAN interfae

    The application I am trying to reach on the debian box requires that the dest IP header be ETH0.  I figured that this could be done with a transport mode ipsec tunnel.  I set that up and traffic between the debian box and the local pfsense box is properly encrypted, however traffic from the LAN subnet to eth0 on the debian box is not encrypted.  I understand a GRE tunnel could be created and a route could be set up to forward traffic over the GRE tunnel to the debian box [while being encrypted via ipsec], but I am wondering if I can simply send the traffic encrypted directly via the IPsec tunnel forgoing the GRE tunnel entirely.

    I tried setting up the IPsec tunnel in 'tunnel' mode but when I put the remote network address in the phase 2 settings, I cannot use the phase 1 remote IP address as the phase 2 dest. remote network.  This is probably plainly wrong but this is also why I am posting this :)

    My apologies if this has been asked and answered in the past.  I did several searches and couldn't immediately find anything related to this.  If anyone has any suggestions I would appreciate it.</debian></pfsense>