As long as your local a remote subnet combination in a P2 is unique, there are are no problems in IPSec itself, unless you have some remote networks in use locally too. That will conflict, of course. Better keep your subnets not too big, 10.0.0.0/8 might not be the best idea… From what I know, if you have some overlap, say a /24 that that overlaps with a /16 (or even /8…) the smaller subnet/more specific route will go first. Hope this helps

@Cortexian is the Windows firewall disabled/configured? https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html

@lc63 Thank you, appreciate it! So, in this topology, I would have two phase 1 tunnels with the same phase 2 networks, right? How would the pfsense know which one to use for the routing?

@bradsm87 I assume we are talking about the clients using the native IKEv2 client built into the operation system (Windows, MacOS, Linux, Android and IOS)? Locking those down to approved clients only requires a change from EAP-RADIUS (MSchapv2) to EAP-TLS which is Client certificate based authentication as far as I know. PfSense IKEv2 and the OS Built-in clients does not support combining multiple authentication models concurrently like fx. MSchapv2 (username/password) and TLS or PSK (certificates or preshared key auth). So the only way to “preapprove” clients is by changing the authentication models to EAP-TLS and use enrolled client/user certificates on the VPN clients. This means you need to have more control over the clients to deploy a client/user certificate on them to be used for VPN. Usually this is done using a MDM like fx. Microsoft Intune Alternatively you could look into using OpenVPN instead as that does support multiple authentication models concurrently - fx. Clients need a preshared key or certificate + being able to pass username/password authentication. But then you need control over the clients in order to deploy the VPN Client…..

@viragomann Thanks for your help. Unfortunately, I am already using the "Filter IPsec VTI and Transport on assigned interfaces, block all tunnel mode traffic" option, which allows me to have one filter rule tab per VPN interface, but also prevents me from using policy-based VPNs. Do you think my proposal of not adding the 0.0.0.0/0 default routes would be workable?

@viragomann This was exactly what it was: it was Windows Firewall running on that server. Gaaaaa!

I definitely will do this next week and post here the results. Thank you

Opened a Redmine about this since this either A. needs to be explained more clearly, or B. needs to be changed so the docs say "will" instead of "may". https://redmine.pfsense.org/issues/16340

@nicolasfo said in [RESOLVED] IPSec tunnel OK but routers can't ping each others: You can know everything about everything thanks to Google. But if you don't know what to search, it is useless. The problem is resolved, by adding a bogus route, by hand. Here's the explanation : https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN Thanks for help Oh my god this worked! Created an account just to say THANK YOU for this. I have a pfSense<->Unifi connected via IPSec. Applying it on the pfSense side makes pfSense->Unifi direct gateway/FW connection possible. Applying it on the Unifi side made my IPSec work perfectly. Again, thank you!

@Gertjan said in Does not have a public address and is behind NAT: Managed to solve the problem. You need to enter any fictitious name and your external IP in DNS Resolver. I entered both my pfsense on one and the second pfsense.[image: 1753101520478-%D1%81%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA-%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0-2025-07-21-%D0%B2-15.38.01.png] In phase 1 you need to register. [image: 1753101586516-%D1%81%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA-%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0-2025-07-21-%D0%B2-15.39.32.png] After which everything started working.