IPsec Routes

The IPsec interface allows the peers to talk directly, but in most cases with IPsec there is more interesting traffic to handle. For example, a larger subnet on the LAN side of each peer that must communicate securely.

To allow these networks to reach one another, routes are required. These may be managed manually using static routes, or a dynamic routing protocol such as BGP can manage the routes automatically.

IPsec Static Route Example

This example adds a static route to the main IPv4 routing table for a subnet located behind the peer. Any traffic trying to reach a host inside the 10.25.0.0/16 subnet will be routed through the ipsec0 interface using the peer address in that subnet (172.32.0.2) as the next hop.

tnsr(config)# route ipv4 table ipv4-VRF:0
tnsr(config-route-table-v4)# route 10.25.0.0/16
tnsr(config-rttbl4-next-hop)# next-hop 0 via 172.32.0.2 ipsec0
tnsr(config-rttbl4-next-hop)# exit
tnsr(config-route-table-v4)# exit
tnsr(config)# exit

See also

For a larger example involving BGP for dynamic route management, see TNSR IPsec Hub for pfSense.