Using IPsec with Multiple Subnets

pfSense® software handles multiple IPsec networks using separate IPsec phase 2 entries which define source and destination pairs to pass through a tunnel.

For example, to accommodate the table below, define two Phase 2 entries on both sides:

Site A

Site B

172.16.0.0/24

10.0.0.0/24

172.16.1.0/24

On the Site A Firewall:

  • 172.16.0.0/24 to 10.0.0.0/24

  • 172.16.1.0/24 to 10.0.0.0/24

On the Site B Firewall:

  • 10.0.0.0/24 to 172.16.0.0/24

  • 10.0.0.0/24 to 172.16.1.0/24

This works for any additional networks on either side, such as multiple local interfaces, mobile VPN clients, networks on the other end of VPNs connected to the remote router, etc.

Supernetting Example

If the equipment to which the tunnel connects does not support multiple phase 2 entries, it may be necessary to employ supernetting/CIDR summarization to fit the networks into a single phase 2.

Tip

This technique can also be used to keep the phase 2 list shorter and more manageable.

It is also more reliable to use fewer phase 2 entries as there is less to negotiate when building or rekeying tunnels. Note that this only applies to IKEv1 or IKEv2 with Split Connections, as IKEv2 uses a single child SA by default.

For example, consider the networks in the following table:

Site A

Site B

192.168.0.0/24

10.0.0.0/24

192.168.1.0/24

192.168.2.0/24

Due to the fact that the subnets are close to each other they can be grouped into a larger network in the tunnel definition: 192.168.0.0/22.

Note

This larger subnet also includes 192.168.3.0/24 due to the way subnet math and boundaries work. If that is unacceptable then an alternate solution may be required, such as firewalling that subnet off or using different equipment at the end which does not support multiple networks.