• Scaling IPsec (and VPNs in general)

    Pinned
    2
    15 Votes
    2 Posts
    8k Views
    ?
    Thank you!
  • Adguard Vpn on pfsense

    1
    0 Votes
    1 Posts
    100 Views
    No one has replied
  • Questions about having overlapping P2s in different tunnels

    2
    0 Votes
    2 Posts
    1k Views
    W
    As long as your local a remote subnet combination in a P2 is unique, there are are no problems in IPSec itself, unless you have some remote networks in use locally too. That will conflict, of course. Better keep your subnets not too big, 10.0.0.0/8 might not be the best idea… From what I know, if you have some overlap, say a /24 that that overlaps with a /16 (or even /8…) the smaller subnet/more specific route will go first. Hope this helps
  • Strongswan server gets multiple, random connection requests

    1
    0 Votes
    1 Posts
    173 Views
    No one has replied
  • Windows Server IPSec VPN Behind pfSense

    5
    0 Votes
    5 Posts
    1k Views
    S
    @Cortexian is the Windows firewall disabled/configured? https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html
  • IPSec bypass some traffic via script

    1
    0 Votes
    1 Posts
    494 Views
    No one has replied
  • Gateway Group, Routed VTI IPSEC tunnels and failover

    5
    0 Votes
    5 Posts
    2k Views
    M
    @lc63 Thank you, appreciate it! So, in this topology, I would have two phase 1 tunnels with the same phase 2 networks, right? How would the pfsense know which one to use for the routing?
  • IKEv2 Mobile Client VPN - Authorised devices only

    2
    0 Votes
    2 Posts
    170 Views
    keyserK
    @bradsm87 I assume we are talking about the clients using the native IKEv2 client built into the operation system (Windows, MacOS, Linux, Android and IOS)? Locking those down to approved clients only requires a change from EAP-RADIUS (MSchapv2) to EAP-TLS which is Client certificate based authentication as far as I know. PfSense IKEv2 and the OS Built-in clients does not support combining multiple authentication models concurrently like fx. MSchapv2 (username/password) and TLS or PSK (certificates or preshared key auth). So the only way to “preapprove” clients is by changing the authentication models to EAP-TLS and use enrolled client/user certificates on the VPN clients. This means you need to have more control over the clients to deploy a client/user certificate on them to be used for VPN. Usually this is done using a MDM like fx. Microsoft Intune Alternatively you could look into using OpenVPN instead as that does support multiple authentication models concurrently - fx. Clients need a preshared key or certificate + being able to pass username/password authentication. But then you need control over the clients in order to deploy the VPN Client…..
  • VTI IPsec with 3rd party routers that use policy routing

    5
    0 Votes
    5 Posts
    2k Views
    L
    @viragomann Thanks for your help. Unfortunately, I am already using the "Filter IPsec VTI and Transport on assigned interfaces, block all tunnel mode traffic" option, which allows me to have one filter rule tab per VPN interface, but also prevents me from using policy-based VPNs. Do you think my proposal of not adding the 0.0.0.0/0 default routes would be workable?
  • Help me troubleshoot IPsec tunnels not routing properly?

    3
    0 Votes
    3 Posts
    77 Views
    A
    @viragomann This was exactly what it was: it was Windows Firewall running on that server. Gaaaaa!
  • IPSec not matching Phase 2?

    1
    0 Votes
    1 Posts
    925 Views
    No one has replied
  • Sometimes all vpn ipsec are down

    1
    0 Votes
    1 Posts
    974 Views
    No one has replied
  • IPv6 address in Dashboard IPSec widget

    1
    0 Votes
    1 Posts
    35 Views
    No one has replied
  • Dynamic Routing IPSec with OSPF, Printing issues

    1
    0 Votes
    1 Posts
    941 Views
    No one has replied
  • Upgrade from 2.7.2 to 2.8.0 ipsec

    Moved
    8
    0 Votes
    8 Posts
    2k Views
    C
    I definitely will do this next week and post here the results. Thank you
  • IPSec service won't start

    1
    0 Votes
    1 Posts
    41 Views
    No one has replied
  • Routed VTI Interface No Traffic On Other Side

    11
    0 Votes
    11 Posts
    2k Views
    planedropP
    Opened a Redmine about this since this either A. needs to be explained more clearly, or B. needs to be changed so the docs say "will" instead of "may". https://redmine.pfsense.org/issues/16340
  • Using VTI IPsec to bypass managed office NAT

    1
    0 Votes
    1 Posts
    986 Views
    No one has replied
  • [RESOLVED] IPSec tunnel OK but routers can't ping each others

    6
    0 Votes
    6 Posts
    17k Views
    A
    @nicolasfo said in [RESOLVED] IPSec tunnel OK but routers can't ping each others: You can know everything about everything thanks to Google. But if you don't know what to search, it is useless. The problem is resolved, by adding a bogus route, by hand. Here's the explanation : https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN Thanks for help Oh my god this worked! Created an account just to say THANK YOU for this. I have a pfSense<->Unifi connected via IPSec. Applying it on the pfSense side makes pfSense->Unifi direct gateway/FW connection possible. Applying it on the Unifi side made my IPSec work perfectly. Again, thank you!
  • Does not have a public address and is behind NAT

    4
    0 Votes
    4 Posts
    2k Views
    T
    @Gertjan said in Does not have a public address and is behind NAT: Managed to solve the problem. You need to enter any fictitious name and your external IP in DNS Resolver. I entered both my pfsense on one and the second pfsense.[image: 1753101520478-%D1%81%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA-%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0-2025-07-21-%D0%B2-15.38.01.png] In phase 1 you need to register. [image: 1753101586516-%D1%81%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA-%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0-2025-07-21-%D0%B2-15.39.32.png] After which everything started working.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.