• Scaling IPsec (and VPNs in general)

    Pinned
    2
    15 Votes
    2 Posts
    6k Views
    ?

    Thank you!

  • NAT via two PFSense Firewalls connected via IPSec

    3
    0 Votes
    3 Posts
    21 Views
    Z

    @viragomann
    Why?

  • Pfsense Multi WAN IPSec Setup Issues

    1
    0 Votes
    1 Posts
    7 Views
    No one has replied
  • 0 Votes
    2 Posts
    350 Views
    GertjanG

    @Yamka said in TheGreenBow VPN Client issue with access through WAN with router in DMZ mode.:

    TheGreenBow VPN Client

    is this a VPN application on a device, the device is connected to the pfSense LAN ?

  • IPsec Tunnel - LAN can’t reach VPN clients

    1
    0 Votes
    1 Posts
    52 Views
    No one has replied
  • IPsec connection stops working upon large or fast data

    1
    0 Votes
    1 Posts
    44 Views
    No one has replied
  • IPSec Export: Apple Profile PHP error

    1
    0 Votes
    1 Posts
    33 Views
    No one has replied
  • Cannot go to Internet in IPSec Road Warrior tunnel

    1
    0 Votes
    1 Posts
    135 Views
    No one has replied
  • Turn off NAT-T in an IPSec Tunnel --

    5
    0 Votes
    5 Posts
    499 Views
    P

    @Phonebuff said in Turn off NAT-T in an IPSec Tunnel --:

    The connection is created and will stay active for hours, until I start doing something like a "netstat -rn", and then, while the session is up, the terminal becomes unresponsive until Putty fails with a Connection Error.

    Hoping someone has some ideas on where to start troubleshooting this so I can resolve the issue.

  • 0 Votes
    3 Posts
    336 Views
    G

    @viragomann
    Thank you for your response — I really appreciate you taking the time to help.

    However, I’ve already tested the exact scenario you're suggesting. Unfortunately, it didn’t work in my case. What I’m specifically looking for is feedback from someone who has successfully implemented Source NAT in a setup that matches my parameters, particularly:

    Site-A to Central-PF using IKEv2 Central-PF to Site-B using IKEv1 NAT at Central-PF, where Site-A is NATed to Central’s LAN IP before forwarding to Site-B

    I’m aware that when both IPsec tunnels use IKEv2, NAT works fine and there’s no need to configure BINAT or additional Phase 2 entries. However, in my situation — with mixed IKE versions — the NAT rule doesn’t appear to work as expected.

    If anyone has resolved this exact case or has real-world experience with this specific type of mixed IKE/IPsec/NAT scenario, I would greatly appreciate your insights.

    Thanks again!

  • 0 Votes
    2 Posts
    228 Views
    patient0P

    @dcugy I would update to the latest CE 2.8.0-RELEASE and report it when it happens again.

  • IPSec connections breaking or wireguard

    5
    0 Votes
    5 Posts
    475 Views
    O

    wanted to see if i could try pfsense+ edition which used to be free but for some reason i can't seem to find that key, isn't it free for home users anymore?

  • 0 Votes
    1 Posts
    141 Views
    No one has replied
  • VPN to Mexico

    1
    0 Votes
    1 Posts
    117 Views
    No one has replied
  • Modify IPSec auto generate key button

    1
    0 Votes
    1 Posts
    131 Views
    No one has replied
  • (How TO) Deploying IKEv2 with EAP-MSCHAPv2 in Domain with group policy

    3
    0 Votes
    3 Posts
    7k Views
    I

    For some reason this is not working under Windows 11 24H2.
    I assume it has something to do with local access rights since I am also not able to copy the file via explorer directly from the network share to C:\ProgramData\Microsoft\Network\Connections\Pbk (as local admin without elevated rights).
    When I first copy the file to Downloads, then I am able to copy it in a second step to C:\ProgramData\Microsoft\Network\Connections\Pbk.

    Any ideas?

    Indiana Horschd

  • Route all subnet traffic over specific IPSec tunnel

    1
    0 Votes
    1 Posts
    142 Views
    No one has replied
  • IPsec performance inconsistent and slow

    3
    0 Votes
    3 Posts
    343 Views
    T

    @tinfoilmatt thanks. The iperf3 tests are done on hosts, not on the firewalls directly.
    Interestingly, I've since also set up a WireGuard VPN and that seems to work a little better than IPsec, but still 20-30% slower with large file transfers over FTP than going over the WAN.

    Following the guide on Netgate's website for WireGuard, I noticed that they clamp down the packet size by adjusting the MTU rather than the MSS, I don't know if there's a reason for doing it like that.

    But as I'm seeing the WireGuard performance still a bit off, maybe it's not just an IPsec thing? I did wonder if the CPU was the bottleneck, but they never go above 20% or so usage so I doubt it's the processor that's the bottleneck.

  • vti IPsec, gateway not adding static routes on 24.11

    7
    0 Votes
    7 Posts
    854 Views
    L

    OK, this has been working correctly for a couple months, but a few days ago the interface "lost" the IP address.
    The router hasn't restarted nor I can find anything in the logs. Had to reassing an IP address and it just continued to work.
    I will try to dig deeper in the gateway address handling to see if I find the bug.

  • Mobile Clients loosing connectivity akter 60 minutes

    5
    0 Votes
    5 Posts
    567 Views
    A

    I have run into the same issue a while ago.
    As others have mentioned, it is due to Windows using DH group 2 (1024 bit) at re-key time, even if it the P1 and P2 are configured with a stronger DH group.

    Changing the re-key interval to something like 9 hours is the easiest way to minimize disruption.

    Other options are to create the client connections using PowerShell to specify a higher DH group, or use DH group 2 on the server.

    https://learn.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=windowsserver2025-ps

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.