• Scaling IPsec (and VPNs in general)

    Pinned
    2
    15 Votes
    2 Posts
    6k Views
    ?

    Thank you!

  • NAT via two PFSense Firewalls connected via IPSec

    4
    0 Votes
    4 Posts
    50 Views
    V

    @zulasch
    This would require, that you have defined an SPD for the "users" IP and the webserver in IPSec. But the clients IP is dynamic. So it would only work if you route the whole upstream traffic from the webserver over the VPN, which might not be what you want.

    It would work with any other kind of VPN though, which gives you the possibility to assign an interface to. Could be OpenVPN, Wireguard or IPSec VTI.

  • Pfsense Multi WAN IPSec Setup Issues

    1
    0 Votes
    1 Posts
    12 Views
    No one has replied
  • 0 Votes
    2 Posts
    360 Views
    GertjanG

    @Yamka said in TheGreenBow VPN Client issue with access through WAN with router in DMZ mode.:

    TheGreenBow VPN Client

    is this a VPN application on a device, the device is connected to the pfSense LAN ?

  • IPsec Tunnel - LAN can’t reach VPN clients

    1
    0 Votes
    1 Posts
    56 Views
    No one has replied
  • IPsec connection stops working upon large or fast data

    1
    0 Votes
    1 Posts
    47 Views
    No one has replied
  • IPSec Export: Apple Profile PHP error

    1
    0 Votes
    1 Posts
    37 Views
    No one has replied
  • Cannot go to Internet in IPSec Road Warrior tunnel

    1
    0 Votes
    1 Posts
    138 Views
    No one has replied
  • Turn off NAT-T in an IPSec Tunnel --

    5
    0 Votes
    5 Posts
    510 Views
    P

    @Phonebuff said in Turn off NAT-T in an IPSec Tunnel --:

    The connection is created and will stay active for hours, until I start doing something like a "netstat -rn", and then, while the session is up, the terminal becomes unresponsive until Putty fails with a Connection Error.

    Hoping someone has some ideas on where to start troubleshooting this so I can resolve the issue.

  • 0 Votes
    3 Posts
    343 Views
    G

    @viragomann
    Thank you for your response — I really appreciate you taking the time to help.

    However, I’ve already tested the exact scenario you're suggesting. Unfortunately, it didn’t work in my case. What I’m specifically looking for is feedback from someone who has successfully implemented Source NAT in a setup that matches my parameters, particularly:

    Site-A to Central-PF using IKEv2 Central-PF to Site-B using IKEv1 NAT at Central-PF, where Site-A is NATed to Central’s LAN IP before forwarding to Site-B

    I’m aware that when both IPsec tunnels use IKEv2, NAT works fine and there’s no need to configure BINAT or additional Phase 2 entries. However, in my situation — with mixed IKE versions — the NAT rule doesn’t appear to work as expected.

    If anyone has resolved this exact case or has real-world experience with this specific type of mixed IKE/IPsec/NAT scenario, I would greatly appreciate your insights.

    Thanks again!

  • 0 Votes
    2 Posts
    236 Views
    patient0P

    @dcugy I would update to the latest CE 2.8.0-RELEASE and report it when it happens again.

  • IPSec connections breaking or wireguard

    5
    0 Votes
    5 Posts
    482 Views
    O

    wanted to see if i could try pfsense+ edition which used to be free but for some reason i can't seem to find that key, isn't it free for home users anymore?

  • 0 Votes
    1 Posts
    144 Views
    No one has replied
  • VPN to Mexico

    1
    0 Votes
    1 Posts
    121 Views
    No one has replied
  • Modify IPSec auto generate key button

    1
    0 Votes
    1 Posts
    134 Views
    No one has replied
  • (How TO) Deploying IKEv2 with EAP-MSCHAPv2 in Domain with group policy

    3
    0 Votes
    3 Posts
    7k Views
    I

    For some reason this is not working under Windows 11 24H2.
    I assume it has something to do with local access rights since I am also not able to copy the file via explorer directly from the network share to C:\ProgramData\Microsoft\Network\Connections\Pbk (as local admin without elevated rights).
    When I first copy the file to Downloads, then I am able to copy it in a second step to C:\ProgramData\Microsoft\Network\Connections\Pbk.

    Any ideas?

    Indiana Horschd

  • Route all subnet traffic over specific IPSec tunnel

    1
    0 Votes
    1 Posts
    145 Views
    No one has replied
  • IPsec performance inconsistent and slow

    3
    0 Votes
    3 Posts
    352 Views
    T

    @tinfoilmatt thanks. The iperf3 tests are done on hosts, not on the firewalls directly.
    Interestingly, I've since also set up a WireGuard VPN and that seems to work a little better than IPsec, but still 20-30% slower with large file transfers over FTP than going over the WAN.

    Following the guide on Netgate's website for WireGuard, I noticed that they clamp down the packet size by adjusting the MTU rather than the MSS, I don't know if there's a reason for doing it like that.

    But as I'm seeing the WireGuard performance still a bit off, maybe it's not just an IPsec thing? I did wonder if the CPU was the bottleneck, but they never go above 20% or so usage so I doubt it's the processor that's the bottleneck.

  • vti IPsec, gateway not adding static routes on 24.11

    7
    0 Votes
    7 Posts
    863 Views
    L

    OK, this has been working correctly for a couple months, but a few days ago the interface "lost" the IP address.
    The router hasn't restarted nor I can find anything in the logs. Had to reassing an IP address and it just continued to work.
    I will try to dig deeper in the gateway address handling to see if I find the bug.

  • Mobile Clients loosing connectivity akter 60 minutes

    5
    0 Votes
    5 Posts
    572 Views
    A

    I have run into the same issue a while ago.
    As others have mentioned, it is due to Windows using DH group 2 (1024 bit) at re-key time, even if it the P1 and P2 are configured with a stronger DH group.

    Changing the re-key interval to something like 9 hours is the easiest way to minimize disruption.

    Other options are to create the client connections using PowerShell to specify a higher DH group, or use DH group 2 on the server.

    https://learn.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=windowsserver2025-ps

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.