IPsec with Multiple Subnets

From PFSenseDocs

This article is part of the HOWTO series.

Contents 1 Summary 1.1 Supernetting Example 1.2 Parallel Tunnels Example 1.3 Using Mobile Tunnels 1.4 Other Multiple Subnet Considerations

Summary

In pfSense 1.2.x, you can only have one subnet defined for each IPsec tunnel. The way to work around this for now is to either use supernetting (combining subnets) or to create parallel tunnels.

Supernetting Example

At Site A, you have one subnet, 10.0.0.0/24. You would like this to reach 192.168.0.0/24, 192.168.1.0/24, and 192.168.2.0/24 at Site B.

Due to the "closeness" of the subnets, you could group them into a larger network in the tunnel definition: 192.168.0.0/22 (This would also include 192.168.3.0/24)

Parallel Tunnels Example

Here is a little trickier setup: Site A has 10.0.0.0/24, but Site B has 192.168.0.1/24, 172.16.0.1/24, and 1.2.3.0/24.

It isn't has hard as it seems, however. You only need setup as many tunnels as you have subnets. Most of the phase 1 information will be identical, but each tunnel will need its own unique identifier.

Start by creating the first tunnel and making sure it is up and can pass traffic. Click the "+" button by your working tunnel, and alter the 'remote subnet' to reflect one of the other subnets you wish to reach. Change the identifier to something different than the previous tunnel.

Make the same changes on the other end of the tunnel, but alter the "local subnet" and ensure that the identifiers match up for each subnet. .That is, the identifier at Site A for 10.0.0.0/24->172.16.0.1/24 needs to match the identifier at Site B for 172.16.0.1/24->10.0.0.0/24

Repeat the last two steps for each additional subnet.

Using Mobile Tunnels

The parallel tunnels technique also works with mobile tunnels. On the server side, you need to create a unique Identifier/Pre-Shared Key (PSK) combination for each subnet. Actually, the PSK can be the same for each Identifier, as long as the identifiers are unique. If you have three subnets, you could use site-a1@example.com, site-a2@example.com, and site-a3@example.com.

On the client side, you need to create a tunnel for each subnet, and use a different Identifier/PSK pair for each tunnel.

Other Multiple Subnet Considerations

If your "main" remote subnet at Site B is a private address, but another subnet at Site B is public that needs to route out the WAN of the Site B router, you will need to add a manual outbound NAT rule that will NAT traffic coming from the LAN Subnet at Site A to the WAN of Site B. (this could use some clarification, and perhaps a screenshot or diagram)