Correction to my previous post: the working iOS 18.1.1 device actually does NOT have LE's CA cert manually imported. (LE is apparently now a trusted a root authority in iOS.)

The VPN configuration profile itself is self-signed however—and it's that signer's CA cert that's manually installed on this working device.

Doubtful that any of this is relevant. Just wanting to clarify. Apologies for any confusion.

@SteveITS Thanks Steve. I did not Disable Auto-added VPN rules. The block ports 500 and 4500 rules I added are being hit and the logs have been quiet, so looks like being at the bottom of the WAN list is okay.

There can be only one mobile P1 at a time. You can either remove the old one and create a new one, or change the settings on the old one to match what you want it to be now.

@reynold Actually you install Avahi as a package on pfsense, not on the windows clients.

@viragomann Hi!
Thanks a lot, ill try and let you know the result

Warm Regards

@johnpoz Correct. CGNAT is being rolled out, so I’m trying to switch anything that might be affected to v6.

@aneeshksurendran9007
If your current phase 2 doesn't cover the OpenVPN tunnel network, you need a second one.
IPSec phase 2 must always be added to both sites.

You can circumvent this, however, by natting the VPN clients access to an unused IP of the existing p2 at the main office.

@user-ng2100 Im also new!!! Nice to know that there's someone like me who are a beginner😁. Btw i dont know the answer, i just wanted to say hi, if i know someome who knows, ill let you know✌🏻

@oscar-pulgarin
Do you have multiple phase 2? If so you have to move this one up.

Do you need access the remote site, or are your only expecting incoming connections?

For incoming traffic add a rule to IPSec.
For connections to the remote site, add rules to the respective incoming interface.

@viragomann Hmm, is that common? I only have two routers in this case that I can test, and they don't do masquerading...

@Gblenn I will have a look at that, I did a bit of reading around that last night, but didn't delv deep enough etc.

Thank you

@Spyderturbo007

Assuming it is a hub and spoke topology:

main site:
first phase 2:
172.16.1.0/24 -> 192.168.50.0/24
172.16.0.0/24 -> 192.168.50.0/24

second phase 2:
172.16.1.0/24 ->172.16.0.0/24
192.168.50.0/24 -> 172.16.0.0/24

site 192.168.50.0/24
192.168.50.0/24 -> 172.16.1.0/24
192.168.50.0/24 -> 172.16.0.0/24

site 172.16.0.0/24
172.16.0.0/24 -> 172.16.1.0/24
172.16.0.0 -> 192.168.50.0/24

@dochy
Hey! Have you a solution for this problem? We have currently the same..."error writing to socket"

@unsichtbarre
No, it's not possible to route the traffic properly if the remote networks overlap.

You have to either change or translate one. But both of this have to be done on a remote site.
You can ask one of them to nat it for you.

@arrcy said in How to portforward over ipsec vpn:

I want incoming connections on siteA:766
to be port forwarded to 192.168.2.100:766 over the ipsec tunnel

Across a policy-based IPSec, this is only gonna to work if you either do masquerading on site B LAN2 with an outbound NAT rule or if you route the whole upstream traffic from B over A. The latter might not be desirable, I guess, the former has the drawback that you loose the information about the origin source IP.

It would work without this limitations with any other kind of VPN: routed IPSec, OpenVPN, Wireguard

preferably i also want Lan 3 and lan 1 also be able to access
10.0.0.1 without adding extra ipsec configuration but using
outbound NAT

Just add a phase 2 for each subnet pair, you want to connect.
LAN1 <> 10.0.0.0/24
LAN3 <> 10.0.0.0/24
Remember, that you have to add these p2 with exchanged local - remote networks.

@Gblenn Actually site B has minimal services, no suricate, snort pfblocker or anything else installed.
I'm clueless.