IPsec Routes

The IPsec interface allows the peers to talk directly, but in most cases with IPsec there is more interesting traffic to handle. For example, a larger subnet on the LAN side of each site-to-site peer that must communicate securely.

Note

Routes are not necessary on TNSR for remote access IPsec.

To allow these networks to reach one another, routes are required. These may be managed manually using static routes, or a dynamic routing protocol such as BGP can manage the routes automatically.

IPsec Static Route Example

This example adds a static route to the main IPv4 routing table for a subnet located behind the peer. Any traffic trying to reach a host inside the 10.25.0.0/16 subnet will be routed through the ipip0 interface using the peer address in that subnet (172.32.0.2) as the next hop.

tnsr(config)# route table ipv4-VRF:0
tnsr(config-route-table)# route 10.25.0.0/16
tnsr(config-rttbl4-next-hop)# next-hop 0 via 172.32.0.2
tnsr(config-rttbl4-next-hop)# exit
tnsr(config-route-table)# exit
tnsr(config)# exit

See also

For a larger example involving BGP for dynamic route management, see TNSR IPsec Hub for pfSense software nodes.