@keyser Ah. Silly me I was looking for "class" :)

@tinfoilmatt I could just as well use OpenVPN for S2S as the workaround. But i Prefer Wireguard due to it’s simplicity - I find it’s just as fast as OpenVPN with hardware acc. There is nothing wrong with either of those options - it’s just not enough in many cases… I’m not always in control of the other ends hardware, and IPsec then becomes the golden standard, and thus required. Also, I much prefer to have only one VPN engine/setup running on pfSense - My “KISS OCD” does not like having multiple different VPN suites/rules and setups running when just IPSec should be enough. PS: The pfSense mobile warrior IPsec setup is not replaceable :-) I, and my customers, absolutely LOVE the pfSense Mobile VPN with it’s simple setup, and grouping of firewall rules due to multiple IP pools. Not having to deploy and maintain VPN clients, but just use the ones built into OS’s is an absolute WIN-WIN when coupled with 2FA from the MS Entra plugin to Microsofts NPS radius server.

I have made some progress. I have modified the file /src/etc/inc/ipsec.inc at lines 2365 and 2365 to remove the additional selectors, and now my proposal correctly matches the one on the other side and it works flawlessly.

@itBJA In the p2 you can only masquerade your network. However, for communication also the remote site has to masquerade their networks. Otherwise you were not able to access anything there or lose access to the local network. This could look like that: At local network state 172.16.0.0/16. At NAT/BINAT select network and enter e.g. 10.16.0.0/16 At remote enter their masquerading networks. E.g. 10.116.3.0/24 for 172.16.3.0/24. The remote site has to use 10.16.0.0/16 as "remote network" and nat 172.16.3.0/24 to 10.116.3.0/24. Then you have a 1:1 NAT. This means if 172.16.3.26 on your site connects to 172.16.3.26 on the remote site, it needs you use 10.116.3.26 as destaintion.

@keyser said in Change local source ports of IPsec tunnels: I think you are looking for the “custom ports” settings on VPN -> IPSEC - ADVANCED tab But this sets the port globally for IPSec, but I don't see a way to state a specific port for a certain connection, as the OP requested.

@keyser Yeah it's worth a shot at least, I'll give this a go. I have seen others online were duplicate SAs will show up, but from everything I've seen that normally doesn't prevent traffic from flowing, maybe I'm remembering wrong though. We do use these VPNs 24/7, we have a night crew, so I don't think it's related to the keep alive. Nonetheless I'll make sure it's enabled (it's not right now, but I am 99% sure I had it enabled in the previous setup when this issue started). Thanks for the tips though, greatly appreciate it.

@patient0 non il semble impossible de faire cela, le paquet pour linux semble incompatible avec freebsd. je crois bien que le service ne sera pas compatible du tout. le support de wireguard semble être la seule solution mais elle n'arrivera pas de si tôt vu que c'est annoncé depuis très longtemps sans avoir évolué

As long as your local a remote subnet combination in a P2 is unique, there are are no problems in IPSec itself, unless you have some remote networks in use locally too. That will conflict, of course. Better keep your subnets not too big, 10.0.0.0/8 might not be the best idea… From what I know, if you have some overlap, say a /24 that that overlaps with a /16 (or even /8…) the smaller subnet/more specific route will go first. Hope this helps

@Cortexian is the Windows firewall disabled/configured? https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html

@lc63 Thank you, appreciate it! So, in this topology, I would have two phase 1 tunnels with the same phase 2 networks, right? How would the pfsense know which one to use for the routing?

@bradsm87 I assume we are talking about the clients using the native IKEv2 client built into the operation system (Windows, MacOS, Linux, Android and IOS)? Locking those down to approved clients only requires a change from EAP-RADIUS (MSchapv2) to EAP-TLS which is Client certificate based authentication as far as I know. PfSense IKEv2 and the OS Built-in clients does not support combining multiple authentication models concurrently like fx. MSchapv2 (username/password) and TLS or PSK (certificates or preshared key auth). So the only way to “preapprove” clients is by changing the authentication models to EAP-TLS and use enrolled client/user certificates on the VPN clients. This means you need to have more control over the clients to deploy a client/user certificate on them to be used for VPN. Usually this is done using a MDM like fx. Microsoft Intune Alternatively you could look into using OpenVPN instead as that does support multiple authentication models concurrently - fx. Clients need a preshared key or certificate + being able to pass username/password authentication. But then you need control over the clients in order to deploy the VPN Client…..

@viragomann This was exactly what it was: it was Windows Firewall running on that server. Gaaaaa!