The IPsec interface allows the peers to talk directly, but in most cases with IPsec there is more interesting traffic to handle. For example, a larger subnet on the LAN side of each peer that must communicate securely.
To allow these networks to reach one another, routes are required. These may be managed manually using static routes, or a dynamic routing protocol such as BGP can manage the routes automatically.
IPsec Static Route Example¶
This example adds a static route to the main IPv4 routing table for a subnet
located behind the peer. Any traffic trying to reach a host inside the
10.25.0.0/16 subnet will be routed through the
ipsec0 interface using
the peer address in that subnet (
184.108.40.206) as the next hop.
tnsr(config)# route ipv4 table ipv4-VRF:0 tnsr(config-route-table-v4)# route 10.25.0.0/16 tnsr(config-rttbl4-next-hop)# next-hop 0 via 220.127.116.11 ipsec0 tnsr(config-rttbl4-next-hop)# exit tnsr(config-route-table-v4)# exit tnsr(config)# exit
For a larger example involving BGP for dynamic route management, see TNSR IPsec Hub for pfSense.