IPsec

• Z

  IPsec over IPv6
  • zimbo2000

  2
  0
  Votes
  2
  Posts
  35
  Views

  L

  It depends on the endpoints. We have shortly tested dual-protocol (IPv6 and IPv4) endpoint with IPv4-only in the tunnel. It has mostly worked as expected with Windows 10 1803 and later, but because of https://redmine.pfsense.org/issues/9175 not at all with Windows 7 or Windows 10 before 1803.
• M

  VTI Ipsec Dynamic Rules
  • martintamare

  1
  0
  Votes
  1
  Posts
  5
  Views

  No one has replied

• S

  connection between ipsec mobile clients
  • serhanb

  1
  0
  Votes
  1
  Posts
  6
  Views

  No one has replied

• A

  IPSect Site to Site (Slow Upload) - (Fast Download) issue
  • AMD_infinium05

  18
  0
  Votes
  18
  Posts
  189
  Views

  B

  How do you know its not the ISP? I swear I've seen Comcast Residential throttle all kinds of things.
• C

  3 sites - routed ipsec - automatic redundant failover routing
  • ccb056

  1
  0
  Votes
  1
  Posts
  32
  Views

  No one has replied

• J

  SNAT From OpenVPN user to a IPSec tunnel possible?
  • JohnPulse

  6
  0
  Votes
  6
  Posts
  79
  Views

  J

  I have to admit, when I saw your post I thought that having a different number of Phase 2's on both sides would never work! However, it worked perfectly! I can now reach the other side from both my LAN subnet and my OpenVPN subnet. I cannot thank you enough, it was stupid of me trying to crack this one up for so long (weeks literally) when it was so fast to get awesome help here. Hope you have a perfect weekend. Thank you so much for giving me your time and even by trying the setup on your LAB. Regards, John
• M

  Traffic Selector unacceptable.
  • mirtiza

  14
  0
  Votes
  14
  Posts
  131
  Views

  

  No. You need to use a site-to-site to route tunnel networks like you are trying to do. Mobile IPsec assigns one and only one address to a connecting client. It doesn't "route" subnets like a site-to-site tunnel. You need to work around dynamic IP addresses with something like dynamic DNS for each endpoint. Nothing you come up with there will be perfect. Especially if the addresses simply change abruptly. Set each side to update a Dynamic DNS entry pointing to their actual, routable, outside WAN address. Tell each side to connect to the FQDN of the DynDNS entry on the other side. Set each side to use their own FQDN as the IKE identifier locally, and the other side's FQDN as the remote identifier.
• S

  Number of IPSEC's Vpn
  • sbouraoui

  2
  0
  Votes
  2
  Posts
  57
  Views

  

  Depends on the hardware. At least dozens. Possibly hundreds. There is no set limit but there are practical limits that vary by installation (like hardware and webgui performance for managing them all.)
• S

  strange openvpn ipsec routing problem
  • soujiro

  1
  0
  Votes
  1
  Posts
  34
  Views

  No one has replied

• H

  IPSEC Phase 2 Duplicate Causes VPN Tunnel to get stuck
  • Harow

  17
  0
  Votes
  17
  Posts
  430
  Views

  

  @harow Five days in, and no further problems of multiple P2's. The only thing I've changed is that the P1 is set to not initiate (respond only) to rekey. Will update again if this fails again.
• L

  Access to IPSec on VLAN
  • lukeren

  2
  0
  Votes
  2
  Posts
  43
  Views

  L

  Solved it by adding a P2 for the LAN and blocking all traffic except 1812/tcp from the AP.
• T

  IPsec failover - without dyndns
  • TheTomTom

  2
  0
  Votes
  2
  Posts
  96
  Views

  T

  I would think that would work, though I have not tried automating anything like that. I have successfully used dynamic DNS though. I've currently started learning about IPSEC VTI so I can have routed IPSEC. From the sounds of the documentation, though, you could also have policy based routing: "Policy Routes To policy route traffic across a routed IPsec tunnel, use the assigned IPsec interface gateway in firewall rules as usual for policy routing. See also Directing Traffic with Policy Routing" See here: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ipsec-routed.html (Note: I haven't tried that and can't speak to how well it may or may not work)
• S

  Phase 2 rekey takes 180 seconds
  • scourtney2000

  11
  0
  Votes
  11
  Posts
  102
  Views

  

  No. The tunnel interface addresses are specified in the Phase 2 configuration.
• R

  Mobile IPSec working but was expecting _route all_ and that's not happening
  • roveer

  8
  0
  Votes
  8
  Posts
  68
  Views

  

  @roveer said in Mobile IPSec working but was expecting _route all_ and that's not happening: So you actually took the time to reply to my post and to say. You are stupid and you don't read. That's how it came off. Not very helpful. Not all of us are perfect. You need to be aware of your failures so you can avoid them in the future.
• S

  network issues - vti - gateway_alarm restarts all tunnels
  • shalles

  6
  0
  Votes
  6
  Posts
  142
  Views

  S

  Thank you, for your feedback! I will give it a try. Sebastian
• C

  L2TP - IPsec - blocked communication - Interface NG0
  • cigu

  5
  0
  Votes
  5
  Posts
  69
  Views

  C

  Thanks Konstanti. I reload Outband and start to working. Thanks a lot!
• T

  AWS VPC second tunnel drops after certain amount of time (therefore receiving AWS notifications regarding VPN connections now and then)
  • TomWork

  4
  0
  Votes
  4
  Posts
  82
  Views

  

  Right. Sometimes you need to log to an external server to solve issues like this.
• S

  IPSEC mobile client in transport mode: possible? No subnets defined somehow
  • sgw

  17
  0
  Votes
  17
  Posts
  84
  Views

  K

  @sgw You can always create a static route to the server network , but it is better to do everything correctly so that the server itself sends this information to the client )))
• N

  6th and 7th IPSec tunnel traffic not passing
  • naiw

  4
  0
  Votes
  4
  Posts
  86
  Views

  

  All of your p2's are unique? Are you seeing anything in the logs?
• 

  Wireless Internal Protection + Remote User VPN
  • skilledinept

  2
  0
  Votes
  2
  Posts
  36
  Views

  

  Nowhere close to enough information to help. Detail the various parties by IP address/network. You might have to diagram it.
• O

  Clients in OPT1 network not reachable through tunnel
  • OM606

  3
  0
  Votes
  3
  Posts
  83
  Views

  

  If you can ping the far side pfSense interface address but not the hosts behind it it is almost always a firewall on the target host itself (think windows firewall). That or their default gateway is not the pfSense firewall. Since traffic works the other way that pretty much rules that out.
• T

  VPN connects but I can't access pfSense.
  • TomT

  9
  0
  Votes
  9
  Posts
  98
  Views

  Z

  Thanks As far as I can tell the WebConfigurator CA is added to me device. Not sure why this works on the LAN and Wifi, but not VPN. I'd appreciate any help with this. Thanks
• A

  Can a remote VPN user (client) access other VPN IPSEC site to site?
  • alessdom

  3
  0
  Votes
  3
  Posts
  75
  Views

  A

  Thanks!, I've found a similar solution that doesn't require partner side intervention. I've added customer network in OpenVpn : Tunnel Network 10.0.2.0/24 Local Network: 10.0.1.0/24, 172.25.0.0/16. Then I've added Phase 2 with NAT: Local Network 10.0.2.0/24 NAT: 10.0.1.0/24 Remote Network: 172.25.0.0/16 It works!
• A

  IPsec VPN to Fortigate
  • Antonio23

  1
  0
  Votes
  1
  Posts
  59
  Views

  No one has replied

• A

  ipsec site to site vpn
  • acp

  8
  0
  Votes
  8
  Posts
  145
  Views

  A

  OK matched the Encryption Algorithm and Hash algorithm and PFS key group again on both pfsesne and cisco and added Lan ip of Cisco to advanced config on pfsese to ping. and it all now works, can ping from the firewall on both sides to local internal pcs. but now need to figure out routing from local subnet of site A to local subnet of site B and vice versa
• L

  IPSec traffic fails.
  • LCCox

  10
  0
  Votes
  10
  Posts
  121
  Views

  L

  I can't track the other side, that is the Vendor. I don't have control or access to that. I can track the connection the company location that fails, but it is up at the moment. No problems right now.
• J

  Amazon VPC shows connected but no traffic passes
  • jwilson_chess

  2
  0
  Votes
  2
  Posts
  56
  Views

  J

  I've tried restarting the tunnels but still get zero packets through. Is this a routing issue or something else?
• S

  Mobile IPSec VPN works but does not follow 302 redirects
  firewall nat ipsec vpn mobil • • svarto

  26
  0
  Votes
  26
  Posts
  228
  Views

  S

  @Konstanti I attach a network diagram of my setup to make it clearer. This is what is weird, when I connect to the VPN from my phone on 4G (option 1 in the attached diagram), I don't get errors any errors just timeouts. I can access everything on the internal LAN and internet, except, I cannot login into certain webservices. When I enter my password and press login, it just stalls - the browser says it is "thinking / loading" and then nothing happens. After a long time I get a "Server not found" error in the browser. However, when I am on my phone on the internal wifi over the VPN (option 2), then I click login and get redirected instantly to the dashboard of the webapp. I can also reach the webapp from outside my network as I have a reverse proxy (option 3), and this works fine. The reason I want to set up the Mobile IPSec VPN is that I want to close down the reverse proxy I have set up so that I can only access my webservices over the VPN and not anymore expose them directly to the internet.
• 

  IPSec VTI: IPv4 Working/IPv6 NFW
  • MMapplebeck

  5
  0
  Votes
  5
  Posts
  111
  Views

  

  I'm assuming this is a feature that just isn't supported by pfSense yet then. That would be a safe assumption where VTI was just introduced in 2.4.4 I'm going to test the native IPv6 P1 and see if that changes anything, if not, I'll look at some other manner of carrying and distributing my IPv6 routes. I may just end up using a GIF tunnel for my IPv6, and I should still be able to use OSPF6 on the GIF interface.
• M

  TCP issue inside the tunnel
  • monster4000

  11
  0
  Votes
  11
  Posts
  153
  Views

  M

  Hello MSS seem to done the trick, what is MMS? I already had the other change due to proxmox kvm
• C

  IPSec Mobile VPN client cannot go to OPT1 network
  • CheeMG

  5
  0
  Votes
  5
  Posts
  132
  Views

  

  Yup. Windows 10 requires manual manipulation of the client routes in powershell. It's an extremely helpful feature.
• Y

  IPSEC VTI disable gateway monitoring ?
  • Yathus

  1
  0
  Votes
  1
  Posts
  68
  Views

  No one has replied

• B

  IPSEC messages and behavior has me confused
  • bigtfromaz

  5
  0
  Votes
  5
  Posts
  76
  Views

  B

  @derelict True that, Azure is pretty opaque in that regard. I spent a lot of time trying to collect their Gateway logs. You can get stats, metrics, connection summary (up/down), ping, trace and next hop; no detailed connect-time logs. I don't want to set up an environment where I am unsure how it works. So I will remove 192.168.122.0/24 from the local network definition file on Azure and see what happens. Azure should stop asking. If that works then I'll add new P1/P2 connections from all my off-site pfSense routers to Azure. That will require us to maintain more connections and keys, something I was hoping to avoid. On the positive side, it'll save a small amount of traffic. Will post again after that's been tried. Thanks for the insight.
• C

  invalid HASH_V1 payload length, decryption failed after registering several P2's
  • cukal

  3
  0
  Votes
  3
  Posts
  89
  Views

  C

  I click disconnect & reconnect a few times and with some luck out of 6 clicks it will register/enable the 4 P2's.
• P

  Phase 2 : "invalid HASH_V1 payload length" error
  • Peter2121

  10
  0
  Votes
  10
  Posts
  283
  Views

  C

  @Konstanti Thanks for pointing that out to me ;) 2.4.4-p2 is messing up IPSec tunnels for me. Using the max_ikey1_exchanges fixes it for a while but after a P1 renegotiation (set to 3600) the invalid HASH_V1 payload length, decryption failed? returns. When manually disconnecting the P1 it reconnects and a single P2 is created. Disconnecting a second time and all 3 P2's are again present. This config has been working for months on 2.4.3-p1. Where should I start looking?
• K

  IPsec VPN tunnel to a Fritzbox after update to 2.4.4-p1
  • kuschi

  27
  0
  Votes
  27
  Posts
  738
  Views

  K

  Any news from anybody regarding this issue? I still have troubles with dropping connections. Thanks, Martin
• M

  IPSec not following config
  • missfox

  6
  0
  Votes
  6
  Posts
  141
  Views

  M

  Fixed it, Layer 8 issue... somehow mixed up the public IP addresses of the phase 1 on the azure side. Thanks for the help though :)
• M

  pFsense as private VPN client P2TP
  • marian78

  1
  0
  Votes
  1
  Posts
  62
  Views

  No one has replied

• J

  Phase 2 Not starting until remote sends traffic
  • joshv

  2
  0
  Votes
  2
  Posts
  101
  Views

  

  The current defaults should be good. The current defaults are IKE SA, IKE CHILD SA, and Configuration Backend to Diag. Everything else Control.
• F

  INVALID_IKE_SPI from Cisco ASA
  • fbackes

  1
  0
  Votes
  1
  Posts
  63
  Views

  No one has replied