diff --git a/src/etc/inc/plugins.inc.d/ipsec.inc b/src/etc/inc/plugins.inc.d/ipsec.inc
index 22ffa3fd7..a04477659 100644
--- a/src/etc/inc/plugins.inc.d/ipsec.inc
+++ b/src/etc/inc/plugins.inc.d/ipsec.inc
@@ -1131,6 +1131,15 @@ EOD;
             }
             $ipsecconf .= "\tcharondebug=\"" .implode(',', $cfg_loglevels) . "\"\n";
 
+            if (!empty($config['ipsec']['passthrough_networks'])) {
+                $ipsecconf .= "\nconn pass\n";
+                $ipsecconf .= "\tright=127.0.0.1 # so this connection does not get used for other purposes\n";
+                $ipsecconf .= "\tleftsubnet={$config['ipsec']['passthrough_networks']}\n";
+                $ipsecconf .= "\trightsubnet={$config['ipsec']['passthrough_networks']}\n";
+                $ipsecconf .= "\ttype=passthrough\n";
+                $ipsecconf .= "\tauto=route\n";
+            }
+
             foreach ($a_phase1 as $ph1ent) {
                 if (isset($ph1ent['disabled'])) {
                     continue;
diff --git a/src/www/vpn_ipsec_settings.php b/src/www/vpn_ipsec_settings.php
index 69c7f35a9..c53804fa3 100644
--- a/src/www/vpn_ipsec_settings.php
+++ b/src/www/vpn_ipsec_settings.php
@@ -40,6 +40,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     $pconfig  = array();
     $pconfig['disablevpnrules'] = isset($config['system']['disablevpnrules']);
     $pconfig['preferoldsa_enable'] = isset($config['ipsec']['preferoldsa']);
+    if (!empty($config['ipsec']['passthrough_networks'])) {
+        $pconfig['passthrough_networks'] = explode(',', $config['ipsec']['passthrough_networks']);
+    } else {
+        $pconfig['passthrough_networks'] = array();
+    }
     foreach ($ipsec_loglevels as $lkey => $ldescr) {
         if (!empty($config['ipsec']["ipsec_{$lkey}"])) {
             $pconfig["ipsec_{$lkey}"] = $config['ipsec']["ipsec_{$lkey}"];
@@ -48,42 +53,66 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         }
     }
 } elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
-    // save form data
     $pconfig = $_POST;
-    if (!empty($pconfig['disablevpnrules'])) {
-        $config['system']['disablevpnrules'] = true;
-    }  elseif (isset($config['system']['disablevpnrules'])) {
-        unset($config['system']['disablevpnrules']);
-    }
-    if (isset($pconfig['preferoldsa_enable']) && $pconfig['preferoldsa_enable'] == "yes") {
-        $config['ipsec']['preferoldsa'] = true;
-    } elseif (isset($config['ipsec']['preferoldsa'])) {
-        unset($config['ipsec']['preferoldsa']);
-    }
-    if (isset($config['ipsec']) && is_array($config['ipsec'])) {
-        foreach ($ipsec_loglevels as $lkey => $ldescr) {
-            if (empty($_POST["ipsec_{$lkey}"])) {
-                if (isset($config['ipsec']["ipsec_{$lkey}"])) {
-                    unset($config['ipsec']["ipsec_{$lkey}"]);
-                }
-            } else {
-                $config['ipsec']["ipsec_{$lkey}"] = $_POST["ipsec_{$lkey}"];
-            }
+    // validate
+    $input_errors = array();
+    foreach ($pconfig['passthrough_networks'] as $ptnet) {
+        if (!is_subnet($ptnet)) {
+            $input_errors[] = sprintf(gettext('Entry "%s" is not a valid network.'), $ptnet);
         }
     }
 
-    write_config();
-    $savemsg = get_std_save_message();
-    filter_configure();
-    ipsec_configure_do();
+    // save form data
+    if (count($input_errors) == 0) {
+        if (!empty($pconfig['disablevpnrules'])) {
+            $config['system']['disablevpnrules'] = true;
+        }  elseif (isset($config['system']['disablevpnrules'])) {
+            unset($config['system']['disablevpnrules']);
+        }
+        if (isset($pconfig['preferoldsa_enable']) && $pconfig['preferoldsa_enable'] == "yes") {
+            $config['ipsec']['preferoldsa'] = true;
+        } elseif (isset($config['ipsec']['preferoldsa'])) {
+            unset($config['ipsec']['preferoldsa']);
+        }
+        if (isset($config['ipsec']) && is_array($config['ipsec'])) {
+            foreach ($ipsec_loglevels as $lkey => $ldescr) {
+                if (empty($pconfig["ipsec_{$lkey}"])) {
+                    if (isset($config['ipsec']["ipsec_{$lkey}"])) {
+                        unset($config['ipsec']["ipsec_{$lkey}"]);
+                    }
+                } else {
+                    $config['ipsec']["ipsec_{$lkey}"] = $pconfig["ipsec_{$lkey}"];
+                }
+            }
+        }
+        $config['ipsec']['passthrough_networks'] = implode(',', $pconfig['passthrough_networks']);
+
+        write_config();
+        $savemsg = get_std_save_message();
+        filter_configure();
+        ipsec_configure_do();
+    }
 }
 
 $service_hook = 'ipsec';
+legacy_html_escape_form_data($pconfig);
 
 include("head.inc");
 
 ?>
 
+<!-- JQuery Tokenize (http://zellerda.com/projects/tokenize) -->
+<script type="text/javascript" src="/ui/js/jquery.tokenize.js"></script>
+<link rel="stylesheet" type="text/css" href="/ui/css/jquery.tokenize.css" />
+
+<script type="text/javascript" src="/ui/js/opnsense_ui.js"></script>
+
+ <script type="text/javascript">
+    $( document ).ready(function() {
+        formatTokenizersUI();
+    });
+</script>
+
 <body>
 <?php include("fbegin.inc"); ?>
   <section class="page-content-main">
@@ -129,6 +158,21 @@ if (isset($input_errors) && count($input_errors) > 0) {
                         </div>
                       </td>
                     </tr>
+                    <tr>
+                      <td><a id="help_for_passthrough_networks" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Passthrough networks"); ?></td>
+                      <td>
+                        <select name="passthrough_networks[]" multiple="multiple" class="tokenize" data-width="348px" data-allownew="true" data-nbdropdownelements="10">
+<?php
+                        foreach ($pconfig['passthrough_networks'] as $ptnet):?>
+                          <option value="<?=$ptnet;?>" selected="selected"><?=$ptnet;?></option>
+<?php                   endforeach; ?>
+                        </select>
+                        <div class="hidden" for="help_for_passthrough_networks">
+                            <?=gettext("This exempts traffic for one or more subnets from getting processed by the IPsec stack in the kernel. ".
+                                        "When sending all traffic to the remote location, you probably want to add your lan network(s) here"); ?>
+                        </div>
+                      </td>
+                    </tr>
                     <tr>
                       <td><a id="help_for_ipsec_debug" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IPsec Debug"); ?></td>
                       <td>