IPsec Routes¶
The IPsec interface allows the peers to talk directly, but in most cases with IPsec there is more interesting traffic to handle. For example, a larger subnet on the LAN side of each site-to-site peer that must communicate securely.
Note
Routes are not necessary on TNSR for remote access IPsec.
To allow these networks to reach one another, routes are required. These may be managed manually using static routes, or a dynamic routing protocol such as BGP can manage the routes automatically.
IPsec Static Route Example¶
This example adds a static route to the main IPv4 routing table for a subnet
located behind the peer. Any traffic trying to reach a host inside the
10.25.0.0/16
subnet will be routed through the ipip0
interface using
the peer address in that subnet (172.32.0.2
) as the next hop.
tnsr(config)# route table default
tnsr(config-route-table)# route 10.25.0.0/16
tnsr(config-rttbl4-next-hop)# next-hop 0 via 172.32.0.2
tnsr(config-rttbl4-next-hop)# exit
tnsr(config-route-table)# exit
tnsr(config)# exit
See also
For a larger example involving BGP for dynamic route management, see TNSR IPsec Hub for pfSense software nodes.