@bradsm87 I assume we are talking about the clients using the native IKEv2 client built into the operation system (Windows, MacOS, Linux, Android and IOS)? Locking those down to approved clients only requires a change from EAP-RADIUS (MSchapv2) to EAP-TLS which is Client certificate based authentication as far as I know. PfSense IKEv2 and the OS Built-in clients does not support combining multiple authentication models concurrently like fx. MSchapv2 (username/password) and TLS or PSK (certificates or preshared key auth). So the only way to “preapprove” clients is by changing the authentication models to EAP-TLS and use enrolled client/user certificates on the VPN clients. This means you need to have more control over the clients to deploy a client/user certificate on them to be used for VPN. Usually this is done using a MDM like fx. Microsoft Intune Alternatively you could look into using OpenVPN instead as that does support multiple authentication models concurrently - fx. Clients need a preshared key or certificate + being able to pass username/password authentication. But then you need control over the clients in order to deploy the VPN Client…..

@marcelosb Hi, I have switched to Policy-based mode for tunnels. I gave up on the VTI mode. Policy-based mode concentrates traffic on a single interface, and is therefore less flexible. However, it does not require a static route and enables failover. It is configured as follows, in tunnel phase 2: For a tunnel between A (AWS for me) and B (pfsense gateway) : VPN > IPsec > Tunnels > P1 > Add P2 Mode: IPv4 tunnel Local Network: <B private network> Remote Network: <A private network> In this mode, to manage failover, the DPD (Dead Peer Detection) option in phase 1 must be enabled. And, for examples, Delay = 3 and Max failures = 1. Routing is done at the tunnel level, which automatically pushes routes in this mode. Simply configure the firewall to allow incoming traffic from the A network to the B network. The firewall rules will be defined on the IPsec interface. In Policy-based mode, this interface groups the two tunnels together. This way, when one tunnel goes down, other tunnel is already authorized by the firewall.

@viragomann Thanks for your help. Unfortunately, I am already using the "Filter IPsec VTI and Transport on assigned interfaces, block all tunnel mode traffic" option, which allows me to have one filter rule tab per VPN interface, but also prevents me from using policy-based VPNs. Do you think my proposal of not adding the 0.0.0.0/0 default routes would be workable?

@viragomann This was exactly what it was: it was Windows Firewall running on that server. Gaaaaa!

I definitely will do this next week and post here the results. Thank you

Opened a Redmine about this since this either A. needs to be explained more clearly, or B. needs to be changed so the docs say "will" instead of "may". https://redmine.pfsense.org/issues/16340

@nicolasfo said in [RESOLVED] IPSec tunnel OK but routers can't ping each others: You can know everything about everything thanks to Google. But if you don't know what to search, it is useless. The problem is resolved, by adding a bogus route, by hand. Here's the explanation : https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN Thanks for help Oh my god this worked! Created an account just to say THANK YOU for this. I have a pfSense<->Unifi connected via IPSec. Applying it on the pfSense side makes pfSense->Unifi direct gateway/FW connection possible. Applying it on the Unifi side made my IPSec work perfectly. Again, thank you!

@Gertjan said in Does not have a public address and is behind NAT: Managed to solve the problem. You need to enter any fictitious name and your external IP in DNS Resolver. I entered both my pfsense on one and the second pfsense.[image: 1753101520478-%D1%81%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA-%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0-2025-07-21-%D0%B2-15.38.01.png] In phase 1 you need to register. [image: 1753101586516-%D1%81%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA-%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0-2025-07-21-%D0%B2-15.39.32.png] After which everything started working.

@zulasch This would require, that you have defined an SPD for the "users" IP and the webserver in IPSec. But the clients IP is dynamic. So it would only work if you route the whole upstream traffic from the webserver over the VPN, which might not be what you want. It would work with any other kind of VPN though, which gives you the possibility to assign an interface to. Could be OpenVPN, Wireguard or IPSec VTI.