• Scaling IPsec (and VPNs in general)

    Pinned
    2
    15 Votes
    2 Posts
    9k Views
    ?
    Thank you!
  • IPsec multiple Phase 2

    14
    0 Votes
    14 Posts
    726 Views
    S
    @keyser Ah. Silly me I was looking for "class" :)
  • Feature Poll: Remove IPsec limitation when using both VTI and Tunnel-mode

    3
    0 Votes
    3 Posts
    784 Views
    keyserK
    @tinfoilmatt I could just as well use OpenVPN for S2S as the workaround. But i Prefer Wireguard due to it’s simplicity - I find it’s just as fast as OpenVPN with hardware acc. There is nothing wrong with either of those options - it’s just not enough in many cases… I’m not always in control of the other ends hardware, and IPsec then becomes the golden standard, and thus required. Also, I much prefer to have only one VPN engine/setup running on pfSense - My “KISS OCD” does not like having multiple different VPN suites/rules and setups running when just IPSec should be enough. PS: The pfSense mobile warrior IPsec setup is not replaceable :-) I, and my customers, absolutely LOVE the pfSense Mobile VPN with it’s simple setup, and grouping of firewall rules due to multiple IP pools. Not having to deploy and maintain VPN clients, but just use the ones built into OS’s is an absolute WIN-WIN when coupled with 2FA from the MS Entra plugin to Microsofts NPS radius server.
  • VTI IPsec with 3rd party routers that use policy routing

    7
    0 Votes
    7 Posts
    4k Views
    L
    I have made some progress. I have modified the file /src/etc/inc/ipsec.inc at lines 2365 and 2365 to remove the additional selectors, and now my proposal correctly matches the one on the other side and it works flawlessly.
  • NAT-Translation for Site2Site VPN

    2
    0 Votes
    2 Posts
    1k Views
    V
    @itBJA In the p2 you can only masquerade your network. However, for communication also the remote site has to masquerade their networks. Otherwise you were not able to access anything there or lose access to the local network. This could look like that: At local network state 172.16.0.0/16. At NAT/BINAT select network and enter e.g. 10.16.0.0/16 At remote enter their masquerading networks. E.g. 10.116.3.0/24 for 172.16.3.0/24. The remote site has to use 10.16.0.0/16 as "remote network" and nat 172.16.3.0/24 to 10.116.3.0/24. Then you have a 1:1 NAT. This means if 172.16.3.26 on your site connects to 172.16.3.26 on the remote site, it needs you use 10.116.3.26 as destaintion.
  • Change local source ports of IPsec tunnels

    4
    0 Votes
    4 Posts
    1k Views
    V
    @keyser said in Change local source ports of IPsec tunnels: I think you are looking for the “custom ports” settings on VPN -> IPSEC - ADVANCED tab But this sets the port globally for IPSec, but I don't see a way to state a specific port for a certain connection, as the OP requested.
  • IPSec Mobile Client not using OnPrem DNS

    1
    0 Votes
    1 Posts
    555 Views
    No one has replied
  • 0 Votes
    5 Posts
    1k Views
    planedropP
    @keyser Yeah it's worth a shot at least, I'll give this a go. I have seen others online were duplicate SAs will show up, but from everything I've seen that normally doesn't prevent traffic from flowing, maybe I'm remembering wrong though. We do use these VPNs 24/7, we have a night crew, so I don't think it's related to the keep alive. Nonetheless I'll make sure it's enabled (it's not right now, but I am 99% sure I had it enabled in the previous setup when this issue started). Thanks for the tips though, greatly appreciate it.
  • Adguard Vpn on pfsense

    5
    0 Votes
    5 Posts
    2k Views
    T
    @patient0 non il semble impossible de faire cela, le paquet pour linux semble incompatible avec freebsd. je crois bien que le service ne sera pas compatible du tout. le support de wireguard semble être la seule solution mais elle n'arrivera pas de si tôt vu que c'est annoncé depuis très longtemps sans avoir évolué
  • Questions about having overlapping P2s in different tunnels

    2
    0 Votes
    2 Posts
    3k Views
    W
    As long as your local a remote subnet combination in a P2 is unique, there are are no problems in IPSec itself, unless you have some remote networks in use locally too. That will conflict, of course. Better keep your subnets not too big, 10.0.0.0/8 might not be the best idea… From what I know, if you have some overlap, say a /24 that that overlaps with a /16 (or even /8…) the smaller subnet/more specific route will go first. Hope this helps
  • Strongswan server gets multiple, random connection requests

    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • Windows Server IPSec VPN Behind pfSense

    5
    0 Votes
    5 Posts
    3k Views
    S
    @Cortexian is the Windows firewall disabled/configured? https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html
  • IPSec bypass some traffic via script

    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • Gateway Group, Routed VTI IPSEC tunnels and failover

    5
    0 Votes
    5 Posts
    4k Views
    M
    @lc63 Thank you, appreciate it! So, in this topology, I would have two phase 1 tunnels with the same phase 2 networks, right? How would the pfsense know which one to use for the routing?
  • IKEv2 Mobile Client VPN - Authorised devices only

    2
    0 Votes
    2 Posts
    190 Views
    keyserK
    @bradsm87 I assume we are talking about the clients using the native IKEv2 client built into the operation system (Windows, MacOS, Linux, Android and IOS)? Locking those down to approved clients only requires a change from EAP-RADIUS (MSchapv2) to EAP-TLS which is Client certificate based authentication as far as I know. PfSense IKEv2 and the OS Built-in clients does not support combining multiple authentication models concurrently like fx. MSchapv2 (username/password) and TLS or PSK (certificates or preshared key auth). So the only way to “preapprove” clients is by changing the authentication models to EAP-TLS and use enrolled client/user certificates on the VPN clients. This means you need to have more control over the clients to deploy a client/user certificate on them to be used for VPN. Usually this is done using a MDM like fx. Microsoft Intune Alternatively you could look into using OpenVPN instead as that does support multiple authentication models concurrently - fx. Clients need a preshared key or certificate + being able to pass username/password authentication. But then you need control over the clients in order to deploy the VPN Client…..
  • Help me troubleshoot IPsec tunnels not routing properly?

    3
    0 Votes
    3 Posts
    99 Views
    A
    @viragomann This was exactly what it was: it was Windows Firewall running on that server. Gaaaaa!
  • IPSec not matching Phase 2?

    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • Sometimes all vpn ipsec are down

    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • IPv6 address in Dashboard IPSec widget

    1
    0 Votes
    1 Posts
    43 Views
    No one has replied
  • Dynamic Routing IPSec with OSPF, Printing issues

    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.