The ARM GCM Problem is gone. It was in 22.05 and after 23.01 GCM runs again.

I run my S2S with AES GCM 128, SHA256, DH19, and Upstream is the Iimit.
In Run my NAS Backup over it and if the Docis 3.1 Modem is stable, it run over Days with max Upsteam Speed.

JFYI. I've ended up with adding two extra pfsenses (for HA) that deals with ISP channels only

I have also posted this problem in the NAT section with more information to see if someone can help me.

Thanks you

@Dobby_ said in IPSEC is insanely slow, Less that 1/10th speed:

This should be the bottleneck

At least, from B to A. 35 Mbps is about 4 MBps max, but OP says that's 3 so OK.

@calmasacow How is this test transfer happening? SMB is slow over VPNs unless it's using SMB 3, as I recall. Try FTP or another method if possible. (also Windows 11 has a bug in the May update causing very slow VPN performance but I'm pretty sure that's with Windows 11 itself as the VPN client)

@calical https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configure.html

recreated in a different order and now it works. first the phase2 without NAT and then the one with NAT.
Topic can be closed

Hard to say what that crash may have been but probably hit a bug in strongSwan more than anything.

It should be more stable on 23.05. Not only is it on a newer version of strongSwan, but the new version also fixes some locking issues that had sometimes caused charon to end up deadlocked.

@sunka

did you read through https://docs.netgate.com/pfsense/en/latest/troubleshooting/ipsec-connections.html#tunnel-does-not-establish

or there are various examples at https://docs.netgate.com/pfsense/en/latest/recipes/#ipsec

When you say "two computers" this is a site to site VPN?

@sunka said in Can't get IPSEC to connect, been trying for days.:

May 22 18:29:01 martin-Legion-5-15IAH7H charon: 16[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
May 22 18:29:01 martin-Legion-5-15IAH7H charon: 16[IKE] received AUTHENTICATION_FAILED notify error

This suggests that part of your handshaking is wrong.
SSLs or keys or a mix of the two or whatever the config is.

@operaiter said in Portforwarding on WAN Interface via Site to Site IPsec:

I did just double checked the rule. Furthermore I did setup a new rule with different traget and port. Still cant see outgoing traffic on pfSense interface.

The only reasons for this apart from NAT and filter rules, I can think of, is that the tunnel is not working properly.

Possibly the additional phase 2 is not correct or not accepted. Some IPSec implementations may reject this multiple phase 2 for the same or overlapping subnets.
You can check out the log for hints due this.

Same story for me on pfSense+ 23.01. Tried everything until I came across this post, which amazingly works. My use case is to iOS 16.4.1.

@meluvalli For now, I ended up switching to WireGuard. I much prefer to use IPSec though. IPSec seems more stable of a connection. I really would like to get to the bottom of this :(

I am struggling to diagnose this problem. I found this bug from 2017, which seems to be related: https://redmine.pfsense.org/issues/7801. Unfortunately the pull request references no longer work, thus I cannot find the exact changes.

I have tried all combinations for the System / Advanced / Firewall & NAT / VPN Packet Processing / Reassemble IP Fragments until they form a complete packet, but it does not have any effect on the issue. I seems like something is wrong specifically when using a VTI interface.

I think it is related to the default scrub rule with fragment reassemble as indicated here https://forum.netgate.com/topic/26822/allow-fragments-in-rules.

So, I have now tried, in a lab, to disable Firewall Scrub in System / Advanced / Firewall & NAT. With this, packets which require fragmentation are now working correctly over the VTI link!

However, I do not really want to disable pf scrub entirely. I am also a bit unsure whether this will break a lot of over parts of the network. Any idea on a better solution here for what I must believe is a bug?

Seems this is a known limitation: https://forum.netgate.com/topic/118063/dhcp-relay-over-ipsec-vpn/16

I have solved the issue. The cause was on hoster's network and I had to manually add vpc routes to go via pfsense server for office networks CIDR.

Also need to add that there was no such issue when we for example use openVPN since it masks the IP and in normal IPsec we have to know exactly where to send packages to. Thus some extra steps have to be done.

Figured it out - had to set a separate allow all Prefix List to each neighbour.

@scottself said in My IPSEC service hangs:

https://redmine.pfsense.org/issues/13014

It says on the redmine where it will be implented.

Plus Target Version: 23.05

Log entries on the pfSense, showing it's clearly getting the Ping response back; I'm just not sure how to find out what it's doing with it after that. I've removed a few repetetive entries but nothing that seems pertinent.

May 4 14:57:21 charon 46137 16[JOB] got event, queuing job for execution May 4 14:57:21 charon 46137 16[JOB] next event in 88ms, waiting May 4 14:57:21 charon 46137 16[JOB] got event, queuing job for execution May 4 14:57:21 charon 46137 16[JOB] next event in 5s 890ms, waiting May 4 14:57:21 charon 46137 09[IKE] <con2|12> sending DPD request May 4 14:57:21 charon 46137 09[IKE] <con2|12> queueing IKE_DPD task May 4 14:57:21 charon 46137 09[IKE] <con2|12> activating new tasks May 4 14:57:21 charon 46137 09[IKE] <con2|12> activating IKE_DPD task May 4 14:57:21 charon 46137 16[JOB] next event in 5s 890ms, waiting May 4 14:57:21 charon 46137 09[ENC] <con2|12> order payloads in message May 4 14:57:21 charon 46137 09[ENC] <con2|12> generating INFORMATIONAL request 1585 [ ] May 4 14:57:21 charon 46137 09[ENC] <con2|12> generating payload of type HEADER May 4 14:57:21 charon 46137 09[ENC] <con2|12> generating ENCRYPTED payload finished May 4 14:57:21 charon 46137 09[NET] <con2|12> sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (80 bytes) May 4 14:57:21 charon 46137 04[NET] sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] May 4 14:57:21 charon 46137 16[JOB] next event in 3s 999ms, waiting May 4 14:57:21 charon 46137 02[NET] received packet => 80 bytes @ 0x7fffdfdfa5f0 May 4 14:57:21 charon 46137 02[NET] received packet: from Y.Y.Y.Y[500] to X.X.X.X[500] May 4 14:57:21 charon 46137 02[ENC] parsing header of message May 4 14:57:21 charon 46137 02[ENC] parsed a INFORMATIONAL response header May 4 14:57:21 charon 46137 02[NET] waiting for data on sockets May 4 14:57:21 charon 46137 09[NET] <con2|12> received packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (80 bytes) May 4 14:57:21 charon 46137 09[ENC] <con2|12> parsing body of message, first payload is ENCRYPTED May 4 14:57:21 charon 46137 09[ENC] <con2|12> starting parsing a ENCRYPTED payload May 4 14:57:21 charon 46137 09[ENC] <con2|12> parsing ENCRYPTED payload, 52 bytes left May 4 14:57:21 charon 46137 09[ENC] <con2|12> parsing ENCRYPTED payload finished May 4 14:57:21 charon 46137 09[ENC] <con2|12> verifying payload of type ENCRYPTED May 4 14:57:21 charon 46137 09[ENC] <con2|12> ENCRYPTED payload verified, adding to payload list May 4 14:57:21 charon 46137 09[ENC] <con2|12> ENCRYPTED payload found, stop parsing May 4 14:57:21 charon 46137 09[ENC] <con2|12> process payload of type ENCRYPTED May 4 14:57:21 charon 46137 09[ENC] <con2|12> found an encrypted payload May 4 14:57:21 charon 46137 09[ENC] <con2|12> parsed content of encrypted payload May 4 14:57:21 charon 46137 09[ENC] <con2|12> verifying message structure May 4 14:57:21 charon 46137 09[ENC] <con2|12> parsed INFORMATIONAL response 1585 [ ] May 4 14:57:21 charon 46137 09[IKE] <con2|12> activating new tasks May 4 14:57:21 charon 46137 09[IKE] <con2|12> nothing to initiate

@viragomann We got it sorted out....

on the main the tunnel to the 3rd party on the local network was using 1.0/24 and this needed to be 0.0/16

@realtebo
This should work anyway. It only needs a properly configured p2 with a local subnet which includes an interface IP of pfSense.

Since this is basically my same problem.
I setup a site to site VPN.
Site 1 is a remote office.
Site 2 is our DC with our domain controller and DNS servers.
users at site 1 need to reach systems by DNS at site 2.

I added a Domain Override to the DNS resolver in the pfsense firewall at site 1 with our domain and the DNS server at site 2 to send the queries to. When I did this the only thing that can be resolved by a DNS is my primary Domain controller. It happens to be a DNS server as well.
I've tried adding the DNS servers at site 2 to the general setup DNS server list as well after the ISP DNS servers.
at Site 2 I have a watchguard firewall.
I looked at this as well https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/access-firewall-over-ipsec.html#ipsec-fwtraffic
but I don't think this is relates since if I set the DNS server on a local machine to the IP of the DNS server at site 2 I can resolve everything at site 2. I'd like to just do this through the pfsense at site 1.

I just put my domain DNS server as the primary DNS for the DHCP leases ( Services / DHCP Server / LAN) then google DNS, and then lastly our ISP DNS. Everything works as expected this way.

@obi Solved!
The problem was caused by remote network configuration that two vpn client use same P2 local ip.

Found a similar older topic:
https://serverfault.com/questions/734086/slow-cifs-file-copy-over-routed-network-with-different-bandwidths
However disabling Jumbo and Netbios doesn't help...
Our internet provider (TIM) suggested that's a CIFS issue, because windows file transfer works fast over LAN but not over WAN interfaces... In fact Iperf test values are in the order of 260Mbit/s, as sender and receiver, and that's good... They recommended to reduce Windows MTU to 1490 but the troughput is the same... Does anyone has some tuning to suggest?

@jimp Thank you sir, that did the trick, after I setup mobile config, applied settings and saved the authentication fields appeared.

Much appreciate the assist sir.

@bert-0
As you wrote above, the IPSec status shows that the connection is established. So it might not be blocked at all.

@michmoor

Look at the number of posts of that user : 1

So : on the triple point :

102848a4-c6ff-4f7b-b4a9-a931deea7d08-image.png

and flag the post.

Later on, as by magic, the polutware will be gone.