I managed to solve my problem by removing the routes that were added: route del 192.168.190.113 route del 192.168.190.116 Then I did: route add 192.168.190.113/32 -iface vtnet3 route add 192.168.190.116/32 -iface vtnet3 Is there any way I can do this through the webpanel?

I tried setting the mtu to 1400 on the LAN interface but this had no effect on the ssh connection. I also set the MSS within the IPSEC settings to 1360 but again it didn't help. I never tried the WAN interface. I have now set the MTU to 1400 on the target servers and this has worked however I would still prefer to find a solution that effects only the tunnel traffic.

I snipped some screenshots. First, the tunnels on my home box [image: home%20box.png?raw=1] main office [image: office.png?raw=1] branch office [image: branch.png?raw=1] See anything obvious? Feel free to shame me mercilessly :-)

I will keep that in mind as a possible bug for future builds when I am looking for issues. VPN performance is my number one most important thing.

I second that. Even if you specify DNS Servers in MOBILE settings, they do not get added in ipsec.conf. RIGHTDNS got implemented in Strongswan 5.0.1. How can I add this variable to ipsec.conf?

Today it flaked out AGAIN and I had to reboot the 24.247.x.x firewall.  The Internet works, 0% latency, everything looks great BUT the IPSEC tunnel crashes and won't come up UNTIL something is rebooted.  I can restart IPSEC services until I'm blue in the face and I've got nothing UNTIL the dumb thing is rebooted. Good thing I didn't have to reboot the other router because that's the one with multiple sites connected to it.  The 24.247.x.x is the remote site. Anyone else experiencing these issues?  We didn't have these issues on the 2.3.x versions of PFSense!  These are PFSense boxes from PFSense too, the rack mounts.

Fixed by adding mydomain.com to the "DNS Suffix for this connection" option in the VPN adapter on Windows

That doesn't look right either. SITE A - SITE B    P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.3.0/24 SITE A - SITE C    P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.3.0/24 Don't want the same traffic selector on SITE A to two different sites.

Is that a 100 MBps or 100 Mbps?

Found it! You need to set the local network in the phase 2 to be 0.0.0.0/0 not the LAN network or interface.

This string in ipsec log looks bad: Jan 4 22:15:07 charon 11[IKE] <con2000|152>IDir '213.132.56.218' does not match to '192.168.3.2'</con2000|152> What is evidently a consequence of setting and private IP as remote peer ID: Peer identifier = 192.168.3.2 Probably, you need to set Peer identifier = 213.132.56.218

It's not supported, and probably won't be. security folks are insisting we use ESP with Null encryption Those are not "security folks". If the equipment on the other end can't handle the encryption load, get better equipment.