IPSec local subnet differs from green


most probably a simple solution but I cannot find an answer.
I tried creating different firewall rules but no luck so far.

The IPSec Tunnel is established successfully.
The Problem is that the second site have different subnets at their site.

As they also have (our green), they routing all the traffic to which i had to add as our “local subnet”.

When I now try to reach a machine on the other site via e.g. tracert it says Destination net unreachable.

My Question: Is it possible to have the local Subnet entered in IPSec differ from green?
The Subnet only exists in the IPSec configuration on our site.
If so, which firewall rules, routes do I have to create in order to get this to work.

Thank you

Have you already read the Wiki pages below:


1 Like


yes i have but cannot find an answer there.


I was thinking, what if you do a source nat (two rules, one for each direction), where the traffic coming from is NATted to a subset of your green network? Similar to the hub and spoke configuration described in the wiki?

1 Like

Do you use a pre-shared key?


Connections with PSKs are very common and set up with only three settings:

You will need to generate a pre-shared-key that is strong enough to not be guessed. It is recommended to at least use a 32 character long key.
Since the PSK is not enough to identify the connection in case of multiply connections using PSK authentication, you will need to fill in the "Local ID" and "Remote ID" fields. There are no restrictions for this, the pair must only be unique across all connections you have and must match with the settings of the peer. You can use:
    Any ASCII-string that starts with an @. It is common to use the hostname (e.g. @trucking.ipfire-at-home.com)
    Some vendors automatically fill in the IP addresses of both peers

thanks for the fast answer but the tunnel is established succesfully.

ah ok, thanks

I also think that this has to be a NAT Problem and tried different rules.

Green IP ( has to become a local subnet IP (172.21.105.x) which is than sent over IPSec to the destination and back again.

So 2 rules should be enough, yes.

Do I need extra routes in order to get this to work?

Below is an example of a working configuration


1 Like

I do not think so, but I speak of what I do not understand well enough. My reasoning is the following: the traffic originating from the other side of the tunnel (172.2.105.X) will be remapped to a subset of your green network, say by SNAT, as well as the traffic originating from your side of the tunnel in that green sub-net should be sent back to the other side (172.2.105.X). This should be enough for a successful routing on both sides.

EDIT: maybe even one rule should be enough, without using a subset of your network? In the hub&spoke you needed two rules because you wanted to connect 2 network through a central location. But in your case?

If you manage to solve the problem would you write a short “how to”, to leave some breadcrumbs for other people in the future?

1 Like

The Problem here is that both subnets 192.168.5.x and 172.21.105.x are on our site. is our green network and is the local Subnet I entered on our site of the IPSec configuration and is only configured here. Otherwise does not exist on our Site.

The Subnet from Site B is

I would need NATing on our Site between and

I have a similar configuration:

Setup von Site B:


Change X to a free IP. The Router must route the Subnets and to X. And than your IP-Sec-Setup will work.


Sry for the confusion I may have caused.
I try to explain it again.

Site A
IPSec config:
local subnet: (which is only configured here, and otherwise not existing in our network, so no gateway…)
RemotHost/IP: x.x.x.x
remote subnet:

Site B:
IPSec config:
local subnet:
RemotHost/IP: x.x.x.x
remote subnet:

Site B cannot enter as there remote subnet as this subnet is also part of their network infrastructure.

How it should be: sends a request to → needs to know that can be reached over IPSec Tunnel. needs to become e.g. and sends the request over IPSec tunnel.

When the response comes back must be translated back to

I guess that I not only need NATing Rules on our site A to translate 192.168.5.x to 172.21.105.x before sending trough the IPSec Tunnel.
And I can only make changes to site A and not B.

Thanks for your reply.
I don’t have a gateway for

Does Site B have access to site A The problem is only on your side, meaning that you cannot route from site B?

As far as i know Site B is configured to accept requests from and sends it back.
They have more costumers with this set-up so it should be ok.

So yes, i guess the problem is only on our site A.

I guess if I could set this rule everything could work.

1 Like

Have you tried these settings below?

I think it’s what @steven was suggesting in post 12. Those command should create the network and bridge it to the green interface. After that, it should be visible in web user interface.


Sorry, but i can’t understand, how your network can work without a gateway?! What is the network configuration on a client in this network (IP, DNS, GW)?!
And the most important: How can communicate with in your setup?

How ever: IPfire must be a part of the network. If that subnet really doesn’t have a gateway, which I don’t think so, then ipfire will become the gateway for that subnet with my config of the screen on site a without the second route-line. Setup the IPfire-IP of as gateway on the clients. Then you can tunnel with the respective remote subnets and and it will work. If you also wan’t a connection from to, you must setup a second tunnel with this remote-subnet and it will work.

No, unfortunately it is not visible in the web interface, but it is there and can be used as a remote-subnet in the ip-sec-setup and Ipfire routes it accordingly.

1 Like


i cannot chnage the settings on site B.

I have set up IPSec tunnels before with the settings you mentioned and they were all working.

1 Like