Opened a Redmine about this since this either A. needs to be explained more clearly, or B. needs to be changed so the docs say "will" instead of "may".

https://redmine.pfsense.org/issues/16340

@nicolasfo said in [RESOLVED] IPSec tunnel OK but routers can't ping each others:

You can know everything about everything thanks to Google. But if you don't know what to search, it is useless.

The problem is resolved, by adding a bogus route, by hand.

Here's the explanation :

https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN

Thanks for help

Oh my god this worked! Created an account just to say THANK YOU for this. I have a pfSense<->Unifi connected via IPSec. Applying it on the pfSense side makes pfSense->Unifi direct gateway/FW connection possible. Applying it on the Unifi side made my IPSec work perfectly.

Again, thank you!

@Gertjan said in Does not have a public address and is behind NAT:

Managed to solve the problem.

You need to enter any fictitious name and your external IP in DNS Resolver. I entered both my pfsense on one and the second pfsense.Снимок экрана 2025-07-21 в 15.38.01.png In phase 1 you need to register.
Снимок экрана 2025-07-21 в 15.39.32.png
After which everything started working.

@jvangent100 said in Upgrade from 2.7.2 to 2.8.0 ipsec:

Is this a known issue ?

No.

Do you see blocked traffic in the firewall logs?

Do you see the packet counters on the tunnels increasing still? In either direction?

@zulasch
This would require, that you have defined an SPD for the "users" IP and the webserver in IPSec. But the clients IP is dynamic. So it would only work if you route the whole upstream traffic from the webserver over the VPN, which might not be what you want.

It would work with any other kind of VPN though, which gives you the possibility to assign an interface to. Could be OpenVPN, Wireguard or IPSec VTI.

@Yamka said in TheGreenBow VPN Client issue with access through WAN with router in DMZ mode.:

TheGreenBow VPN Client

is this a VPN application on a device, the device is connected to the pfSense LAN ?

@Phonebuff said in Turn off NAT-T in an IPSec Tunnel --:

The connection is created and will stay active for hours, until I start doing something like a "netstat -rn", and then, while the session is up, the terminal becomes unresponsive until Putty fails with a Connection Error.

Hoping someone has some ideas on where to start troubleshooting this so I can resolve the issue.

@viragomann
Thank you for your response — I really appreciate you taking the time to help.

However, I’ve already tested the exact scenario you're suggesting. Unfortunately, it didn’t work in my case. What I’m specifically looking for is feedback from someone who has successfully implemented Source NAT in a setup that matches my parameters, particularly:

Site-A to Central-PF using IKEv2 Central-PF to Site-B using IKEv1 NAT at Central-PF, where Site-A is NATed to Central’s LAN IP before forwarding to Site-B

I’m aware that when both IPsec tunnels use IKEv2, NAT works fine and there’s no need to configure BINAT or additional Phase 2 entries. However, in my situation — with mixed IKE versions — the NAT rule doesn’t appear to work as expected.

If anyone has resolved this exact case or has real-world experience with this specific type of mixed IKE/IPsec/NAT scenario, I would greatly appreciate your insights.

Thanks again!

@dcugy I would update to the latest CE 2.8.0-RELEASE and report it when it happens again.

wanted to see if i could try pfsense+ edition which used to be free but for some reason i can't seem to find that key, isn't it free for home users anymore?