Using IPsec with Multiple Subnets¶
pfSense® software handles multiple IPsec networks using separate IPsec phase 2 entries which define source and destination pairs to pass through a tunnel.
For example, to accommodate the table below, define two Phase 2 entries on both sides:
Site A |
Site B |
|---|---|
|
|
|
On the Site A Firewall:
172.16.0.0/24to10.0.0.0/24172.16.1.0/24to10.0.0.0/24
On the Site B Firewall:
10.0.0.0/24to172.16.0.0/2410.0.0.0/24to172.16.1.0/24
This works for any additional networks on either side, such as multiple local interfaces, mobile VPN clients, networks on the other end of VPNs connected to the remote router, etc.
Supernetting Example¶
If the equipment to which the tunnel connects does not support multiple phase 2 entries, it may be necessary to employ supernetting/CIDR summarization to fit the networks into a single phase 2.
Tip
This technique can also be used to keep the phase 2 list shorter and more manageable.
It is also more reliable to use fewer phase 2 entries as there is less to negotiate when building or rekeying tunnels. Note that this only applies to IKEv1 or IKEv2 with Split Connections, as IKEv2 uses a single child SA by default.
For example, consider the networks in the following table:
Site A |
Site B |
|---|---|
|
|
|
|
|
Due to the fact that the subnets are close to each other they can be
grouped into a larger network in the tunnel definition: 192.168.0.0/22.
Note
This larger subnet also includes 192.168.3.0/24 due to the way subnet
math and boundaries work. If that is unacceptable then an alternate solution
may be required, such as firewalling that subnet off or using different
equipment at the end which does not support multiple networks.