Goto Top

IPSec Mobile to an other network IPSEC

Good morning, sir,

Here is the network diagram of my infrastructure:

Network 1 =
Network 2 =
Network 3 =


Network 1 --> Network 2 OK
Network 1 --> Network 3 NO
Network 2 --> Network 3 OK

Network 2 --> Network 1 OK
Network 3 --> Network 1 NO
Network 3 --> Network 2 OK

Is it possible to create a phase 2 that mentions access to Network 1 through the normal IPSec tunnel?

Network 3 = Mobile it created by Pfsense of network 2

Content-Key: 559328

Url: https://administrator.de/contentid/559328

Printed on: December 4, 2023 at 10:12 o'clock

Member: yazzur
yazzur Mar 20, 2020 at 08:52:26 (UTC)
Goto Top
PFSense mit Fritzboxen verbinden

Vielleicht ist die Lösung hier, aber ich habe es nicht gut verstanden.
Member: SlainteMhath
SlainteMhath Mar 20, 2020 at 09:16:49 (UTC)
Goto Top

dein Netwrok 3 verwendet ein nicht-RFC1918 Subnetz. Ich denke das kann/macht die FritzBox so nicht.

Member: SlainteMhath
SlainteMhath Mar 20, 2020 at 09:45:50 (UTC)
Goto Top
Please, don't DM me for replies to forum posts.


You answered my question concerning the connection problem between the Ipsec networks.
Except that I don't have a FritzBox, I only use pfsense.

The link you posted was about pfsense and FBs ... but nevermind...

Still, you're using a non -RFC1918 Network, is this intentional?
Member: yazzur
yazzur Mar 20, 2020, updated at Apr 21, 2022 at 13:41:40 (UTC)
Goto Top
Yes, I did make a mistake in the network.
So I changed by which is RFC1918 compliant.
I still cannot access the network.
Here are some screenshots:

Connection to the VPN :

CMD ipconfig /all :




Network capture on PFSENSE Nework 2 "IPSEC" "ICMP" when / i ping with my computer VPN ipsec mobile :

So we can see that the ICMP request goes through the tunnel but the pfsense does not go to the second pfsense connected by ipsec.
Member: aqui
aqui Mar 20, 2020 at 16:33:05 (UTC)
Goto Top
Looks like network 1 and network 2 are VPN connected with a simple site to site tunnel, both on pfSense hardware.
Whats a bit unclear here is the network 3 site ?
The main question is why this is named IPsec mobile ?
IPsec mobile is usually used for mobile clients dialin like VPN onboard software clients in end devices. It does in general NOT do a site to site connection with routing as shown here in the drawing and is maybe a VPN misdesign.

Main question which still remains is if this "mobile" is just a typo in the drawing and the tunnel to network 3 is a site to site tunnel as well.
Or, if mobile IPsec is really in use here to establish the link. As said before from a design perspective its not correct that way but probably may work.
The other question is what kind of VPN hardware we are talking about here at network 3 ? pfSense as well ??
And finally: Is mobile IPsec here at network 3 really mandatory or can it just be also a static site to site VPN like in the connection between 1 and 2 ?
In the latter case the config would be of course very easy
The threadowner should answer this before we dig deeper into this issue ?
Member: yazzur
yazzur Mar 20, 2020 at 16:53:38 (UTC)
Goto Top
Thank you for your response.

The VPN tunnel between network 1 and 2 is of normal type.

The tunnel from network 2 to 3 must remain "mobile ipsec tunnel" because it is used for teleworking and access to our data.

In network 3 there is no pfsense it is the pfsense of network 2 which creates a network "" for the "mobile" remote users.

We want to be able to access data from anywhere in the world on the network but also

Making two mobile tunnels could work with on the computer station two separate routes, one that indicates goes through this tunnel to go on this network and the same for the other.

But I would like to be able to pass both networks in one tunnel.
The routes are already done automatically with a powershell script that creates the tunnel and the routes.

I just want to know how to route requests "Source: --> Destination: through the tunnel that separates networks and" with NAT or something else.

Tell me if you don't understand, I'll try to be more explicit with a better schema.
Member: aqui
aqui Mar 21, 2020 updated at 08:06:36 (UTC)
Goto Top
In network 3 there is no pfsense it is the pfsense of network 2 which creates a network "" for the "mobile" remote users.
So to make it clear for us. network 3 is just a mobile user dialin in to the pfSense on 2. Is that correct ?
So more or less a classic VPN dialin solution what is described here in this tutorial:
IPsec IKEv2 VPN für mobile Benutzer auf der pfSense oder OPNsense Firewall einrichten
Do you use IKEv2 here to cover Win 10 users with their onboard clients or do you still use standard IKEv1.
I will post some screenshots for the solution over the weekend.
Member: yazzur
yazzur Mar 21, 2020 at 10:15:38 (UTC)
Goto Top
You are right, network 3 is created by the mobile ipsec tunnel of the pfsense network 2 that you see on my diagram.

So network 3 is composed of mobile devices that connect using the VPN client built into Windows.

I automated the creation of the tunnel and the import of the certificate with powershell transformed into "exe". I can give you the code if needed and let you share it on your forum if you want. It's very handy but for now it only works on Windows 10. I haven't tested it on Windows 7, 8 and 8.1 yet.

Here are the screenshots of my mobile IPsec configuration :












Thanks again for your help, don't hesitate if you need something else or the powershell script to create the tunnel.
Member: aqui
aqui Mar 21, 2020 updated at 12:56:16 (UTC)
Goto Top
And here is your solution !
The setup this scenario is based on, reflects pretty much your design:


Due to the fact that you need to tunnel the VPN dialin IP network you need to add a second P2 entry either into the static tunnel to network 1 as well as into both tunnels on the pfSense at network 2.
The network 2 pfSense must have two Phase 2s defined for both tunnels !
The static one which serves network 1 and the tunnel which servers the mobile VPN users network 3.
The above setup has different network IP settings which is just cosmetic and you have to modify them to your individual settings.
  • Internal IPsec IKEv2 VPN IP network: /24
  • Local networks at network 1: /25 and /25. (Both combined in the IPsec P2 settings under a /24 mask !)
  • Local network at network 2: /24
See the individual setup screenshots:

back-to-top1.) Static tunnel at pfSense location "network 1":

First P2 type is set to "network" and local: /24, remote: which sends both local networks into the static tunnel.
Second P2 type set as well to "network" and local: /24 remote: /24 which sends the VPN client network into the tunnel

back-to-top2.) Static and mobile tunnel at pfSense location "network 2":

Here its more or less the same.
First P2 entry in the mobile client tunnel serves the local network to the clients.
Second P2 entry in the mobile client tunnel serves the remote network at network 1 to the clients.
Same with the counterpart of the static network tunnel to network 1.

back-to-top3.) Mobile client settings at pfSense location "network 2":

Client VPN dialin setting is fully based on this local tutorial which has all the details:
IPsec IKEv2 VPN für mobile Benutzer auf der pfSense oder OPNsense Firewall einrichten

Both networks should be provided to the clients.

back-to-top4.) Dashboard overview at "network 2":

  • Tunnel with both P2s established to network 1.
  • One active client (Windows 10 with onboard VPN client) connected.

back-to-top5.) Connectivity checks on the client:

Optionally you should set a static route into the VPN client connection on the Windows 10 site with Power Shell (Admin mode): Add-VpnConnectionRoute -ConnectionName "pfSense" -DestinationPrefix -PassThru
and additionally
Add-VpnConnectionRoute -ConnectionName "pfSense" -DestinationPrefix -PassThru

This is usually not mandatory cause the pfSense mobile connection setup will provide both configured P2 networks automatically into the client routing table during client tunnel establishment. But Windows is here a bit "sensitive", cause the internal routing table needs administrator rights. So its more waterproof to additionnally add that route into the VPN client setup here to make sure it works under all circumstances.

Checking the client routing table while the client is connected:
C:\WINDOWS> route print
 18...00 23 5a 4f 01 55 ......Intel(R) 82567LM Gigabit Network Connection
  9...00 22 fa 7b c9 c7 ......Intel(R) WiFi Link 5100 AGN
  1...........................Software Loopback Interface 1

Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
     55   Auf Verbindung     36   Auf Verbindung    291     56   Auf Verbindung    291   Auf Verbindung    331   Auf Verbindung    331   Auf Verbindung    331     56   Auf Verbindung     36   Auf Verbindung    291   Auf Verbindung     36   Auf Verbindung    291 
As you can see route entry " Auf Verbindung 36" shows that all traffic from the VPN client to network 1 networks (and of course for local network 2 LAN !) is send into the client VPN tunnel ( !

VPN client has gotten the right IP address ( from the internal VPN IP which could also be seen in the above routing table:
C:\WINDOWS> ipconfig

Ethernet-Adapter LAN-Verbindung:
   Verbindungsspezifisches DNS-Suffix: testing.intern
   Verbindungslokale IPv6-Adresse  . : fe80::f488:debb:2cdf:1234%18
   IPv4-Adresse  . . . . . . . . . . :
   Subnetzmaske  . . . . . . . . . . :
   Standardgateway . . . . . . . . . : fe80::1:1%18

PPP-Adapter pfSense:
   Verbindungsspezifisches DNS-Suffix:
   IPv4-Adresse  . . . . . . . . . . :
   Subnetzmaske  . . . . . . . . . . :
   Standardgateway . . . . . . . . . : 

And finally the Ping check into the local LAN on network 1:
Ping wird ausgeführt für mit 32 Bytes Daten:
Antwort von Bytes=32 Zeit=11ms TTL=63
Antwort von Bytes=32 Zeit=8ms TTL=63
Antwort von Bytes=32 Zeit=4ms TTL=63
Antwort von Bytes=32 Zeit=11ms TTL=63

Ping-Statistik für
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
    (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 4ms, Maximum = 11ms, Mittelwert = 8ms 
A Ping to a local switch management IP address was also successful !

Works as designed ! face-wink
And...if it works for you as well, feel free to post or link it to the Netgate forum as well !!
Member: yazzur
yazzur Mar 21, 2020 at 14:37:07 (UTC)
Goto Top
Thank you very much, that's perfect.
Everything works perfectly!
I still had to do an "f-route" as administrator to make it work.
As well as a reboot of my "client" machine, of the Ipsec service but also of each tunnel.

You are an extraordinary person, thank you very much.
Member: aqui
aqui Mar 21, 2020 updated at 16:43:44 (UTC)
Goto Top
Merci bien ! You're welcome !
Glad it helped you to fix this.