• Scaling IPsec (and VPNs in general)

    Pinned
    2
    15 Votes
    2 Posts
    6k Views
    ?
    Thank you!
  • IKEv2 Mobile Client VPN - Authorised devices only

    2
    0 Votes
    2 Posts
    54 Views
    keyserK
    @bradsm87 I assume we are talking about the clients using the native IKEv2 client built into the operation system (Windows, MacOS, Linux, Android and IOS)? Locking those down to approved clients only requires a change from EAP-RADIUS (MSchapv2) to EAP-TLS which is Client certificate based authentication as far as I know. PfSense IKEv2 and the OS Built-in clients does not support combining multiple authentication models concurrently like fx. MSchapv2 (username/password) and TLS or PSK (certificates or preshared key auth). So the only way to “preapprove” clients is by changing the authentication models to EAP-TLS and use enrolled client/user certificates on the VPN clients. This means you need to have more control over the clients to deploy a client/user certificate on them to be used for VPN. Usually this is done using a MDM like fx. Microsoft Intune Alternatively you could look into using OpenVPN instead as that does support multiple authentication models concurrently - fx. Clients need a preshared key or certificate + being able to pass username/password authentication. But then you need control over the clients in order to deploy the VPN Client…..
  • Gateway Group, Routed VTI IPSEC tunnels and failover

    4
    0 Votes
    4 Posts
    633 Views
    L
    @marcelosb Hi, I have switched to Policy-based mode for tunnels. I gave up on the VTI mode. Policy-based mode concentrates traffic on a single interface, and is therefore less flexible. However, it does not require a static route and enables failover. It is configured as follows, in tunnel phase 2: For a tunnel between A (AWS for me) and B (pfsense gateway) : VPN > IPsec > Tunnels > P1 > Add P2 Mode: IPv4 tunnel Local Network: <B private network> Remote Network: <A private network> In this mode, to manage failover, the DPD (Dead Peer Detection) option in phase 1 must be enabled. And, for examples, Delay = 3 and Max failures = 1. Routing is done at the tunnel level, which automatically pushes routes in this mode. Simply configure the firewall to allow incoming traffic from the A network to the B network. The firewall rules will be defined on the IPsec interface. In Policy-based mode, this interface groups the two tunnels together. This way, when one tunnel goes down, other tunnel is already authorized by the firewall.
  • Questions about having overlapping P2s in different tunnels

    1
    0 Votes
    1 Posts
    278 Views
    No one has replied
  • VTI IPsec with 3rd party routers that use policy routing

    5
    0 Votes
    5 Posts
    431 Views
    L
    @viragomann Thanks for your help. Unfortunately, I am already using the "Filter IPsec VTI and Transport on assigned interfaces, block all tunnel mode traffic" option, which allows me to have one filter rule tab per VPN interface, but also prevents me from using policy-based VPNs. Do you think my proposal of not adding the 0.0.0.0/0 default routes would be workable?
  • Help me troubleshoot IPsec tunnels not routing properly?

    3
    0 Votes
    3 Posts
    60 Views
    A
    @viragomann This was exactly what it was: it was Windows Firewall running on that server. Gaaaaa!
  • IPSec not matching Phase 2?

    1
    0 Votes
    1 Posts
    179 Views
    No one has replied
  • Sometimes all vpn ipsec are down

    1
    0 Votes
    1 Posts
    209 Views
    No one has replied
  • IPv6 address in Dashboard IPSec widget

    1
    0 Votes
    1 Posts
    34 Views
    No one has replied
  • Dynamic Routing IPSec with OSPF, Printing issues

    1
    0 Votes
    1 Posts
    199 Views
    No one has replied
  • Upgrade from 2.7.2 to 2.8.0 ipsec

    Moved
    8
    0 Votes
    8 Posts
    618 Views
    C
    I definitely will do this next week and post here the results. Thank you
  • IPSec service won't start

    1
    0 Votes
    1 Posts
    38 Views
    No one has replied
  • Routed VTI Interface No Traffic On Other Side

    11
    0 Votes
    11 Posts
    608 Views
    planedropP
    Opened a Redmine about this since this either A. needs to be explained more clearly, or B. needs to be changed so the docs say "will" instead of "may". https://redmine.pfsense.org/issues/16340
  • Using VTI IPsec to bypass managed office NAT

    1
    0 Votes
    1 Posts
    234 Views
    No one has replied
  • [RESOLVED] IPSec tunnel OK but routers can't ping each others

    6
    0 Votes
    6 Posts
    15k Views
    A
    @nicolasfo said in [RESOLVED] IPSec tunnel OK but routers can't ping each others: You can know everything about everything thanks to Google. But if you don't know what to search, it is useless. The problem is resolved, by adding a bogus route, by hand. Here's the explanation : https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN Thanks for help Oh my god this worked! Created an account just to say THANK YOU for this. I have a pfSense<->Unifi connected via IPSec. Applying it on the pfSense side makes pfSense->Unifi direct gateway/FW connection possible. Applying it on the Unifi side made my IPSec work perfectly. Again, thank you!
  • Does not have a public address and is behind NAT

    4
    0 Votes
    4 Posts
    432 Views
    T
    @Gertjan said in Does not have a public address and is behind NAT: Managed to solve the problem. You need to enter any fictitious name and your external IP in DNS Resolver. I entered both my pfsense on one and the second pfsense.[image: 1753101520478-%D1%81%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA-%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0-2025-07-21-%D0%B2-15.38.01.png] In phase 1 you need to register. [image: 1753101586516-%D1%81%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA-%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0-2025-07-21-%D0%B2-15.39.32.png] After which everything started working.
  • This topic is deleted!

    1
    0 Votes
    1 Posts
    15 Views
    No one has replied
  • This topic is deleted!

    1
    0 Votes
    1 Posts
    7 Views
    No one has replied
  • NAT via two PFSense Firewalls connected via IPSec

    4
    0 Votes
    4 Posts
    542 Views
    V
    @zulasch This would require, that you have defined an SPD for the "users" IP and the webserver in IPSec. But the clients IP is dynamic. So it would only work if you route the whole upstream traffic from the webserver over the VPN, which might not be what you want. It would work with any other kind of VPN though, which gives you the possibility to assign an interface to. Could be OpenVPN, Wireguard or IPSec VTI.
  • Pfsense Multi WAN IPSec Setup Issues

    1
    0 Votes
    1 Posts
    240 Views
    No one has replied
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.