@Derelict: firewall rules go on the interfaces the traffic arrives into. So connections from IPsec go on the IPsec tab. You'll have to post rues, IPsec settings etc. Hard to say what you have done wrong. Hello, and Happy New Year. Sorry for the late reply, but,  Christmas break and all.. Anyway just wanted to say that you pointed me in the right direction and was able to solve the problem. Many thanks! For those ending up here after searching for the same problem, here's how I resolved it based on Derelict's input. He may want to change some of the below however this is working for me now. If there is a Site to Site (S2S) VPN tunnel in place between, say, between Head Office (Site "A"), and a Branch Office (Site "B"), and you want your Mobile Clients to be able to connect to Site "A" remotely and see Site "B" you need to perform the additional setup: The idea here is that you need to take the traffic from the Mobile VPN client, that is destined for Site B's network, and: Tell Mobile Client's routing to pass Site B's LAN addresses over VPN. Hand it off to Site A's local LAN (Mobile Phase 2 entry on Site A) Site A's LAN's firewall needs to allow it, NATting the traffic to Site B's network. (IPsec firewall tab on Site A). Site A's LAN passes it along to Site A's VPN Tunnel (S2S VPN Phase 2 entry on Site A) Site B's VPN Tunnel passes it long to Site B's local LAN. (S2S VPN Phase 2 entry on Site B) In this example, we will use the following data: Mobile VPN client network: 172.16.10.0/24 Site A local LAN network: 10.5.0.0/16 Site B local LAN network: 10.6.0.0/16 SITE A: Additional Phase 2: Mobile Clients Navigate to VPN -> IPsec On the "Tunnels" tab, click "Show Phase 2" entries under "Mobile Clients". Create a new Phase 2 entry with the following settings: o Mode: Tunnel IPv4 o Local Network: 10.6.0.0/16 o Description: Whatever you want. EG: Sales Office LAN o Protocol: ESP o Encryption Algorithms: AES 256 bits o Hash Algorithms: SHA1, SHA256, SHA384, SHA512 o The rest is default. o Save and Apply. SITE A: Additional Phase 2: S2S VPN Add a new Phase 2 entry under your existing S2S VPN as follows: o Mode: Tunnel IPv4 o Local Network: Your Mobile VPN Network (EG: 172.16.10.0/24) o Remote Network: Your Site B LAN Network (EG: 10.6.0.0/16) o Encryption Algorithms: AES 256 bits o Hash Algorithms: SHA1 o The rest is default. o Save and Apply. SITE A: Firewall Rules Go to Firewall -> Rules, IPsec Tab Add a new rule below the existing one with the following settings: o Interface: IPsec o Address Family: IPv4 o Protocol: Any o Source: Network, your Mobile VPN Network (EG: 172.16.10.0/24) o Destination: Network, Your Site B LAN Network (EG: 10.6.0.0/16) o Save and Apply. SITE B: Additional Phase 2: S2S VPN Add a new Phase 2 entry under your existing S2S VPN as follows: o Mode: Tunnel IPv4 o Local Network: Your Site B LAN Network (EG: 10.6.0.0/16) o Remote Network: Your Mobile VPN Network (EG: 172.16.10.0/24) o Encryption Algorithms: AES 256 bits o Hash Algorithms: SHA1 o The rest is default. o Save and Apply. Mobile Client Setup You will need to tell your mobile client's OS to pass Site B's LAN traffic over your VPN connection. I will cover Windows 10 for this. Open a privileged Power Shell and: Add-VpnConnectionRoute -ConnectionName "PRP" -DestinationPrefix 10.6.0.0/16 -PassThru

All is good with a new Fritzbox 6590. The Thread can be marked as solved.

Several years after these pertinent remarks, it is sad to see that nothing has been done to make the log display readable. Happy new year anyway  ;D

Fixed that… Changed encryption to: AES-128-GCM / SHA256 / DH 14 and IPSec performance jumped to 877 Mbit/sec.

@Derelict: I don't know what "Office" is. What is the IPsec tunnel network or the remote networks? What is the Local LAN subnet? Hi Remote office network is 192.168.10.0/24 Local LAN is 192.168.25.0/24 I only want a couple of devices to have access via the VPN and be reachable from the VPN. These have been specified in the Office all Thanks

The both have to NAT if they also need to communicate with each other, btw.

@Derelict: Split tunneling is more to do with the client settings than the server. For instance in windows 10 I'm pretty sure you need to manually set that in powershell. At least in some versions. Sorry, no android here to test, and it too probably varies version-to-version. I had a feeling it may not be possible, i have just set up the internet to route through my VPN again (and tidied up my firewall rules a lot) Thanks for the help both of you :)

"How to configure an L2TP/IPsec server behind a NAT-T" MS KB did not work for us. Running 2.2.4-RELEASE (i386). Not planning the upgrade yet. We're unable to forward L2TP traffic to the server behind NAT. We're seeing traffic coming on port 4500, VPN connection is estabilished, however there is no routed traffic. All NPS polices seems to be fine. No firewall rules blocking. No ACLs blocking. We're not seeing anything behind this server. Forwarded traffic: TCP/UDP 1701 WAN -> server TCP/UDP 500 WAN -> server TCP/UDP 4500 WAN -> server AH protocol WAN -> server ESP protocol WAN -> server Issue seems to be covering this thread. Next step is to sniff some traffic and check what is going on. Any ideas?

I think I solved it by myself. My solution: IPsec Transport mode between Site A and Site B GRE Tunnel over the ipsec secured connection Custom Gateway with custom static routes.

@Daz22: Yes this is possible. VPN/IPSEC/MOBILE CLIENTS Enable IPSEC mobile client support User database Local database (selected) Save In your p1 entry you should now have the option under p1 proposal. Make sure when you create your users you go back in and add the XAUTH VPN User dial-in Hopes this helps! That's the wrong direction. That sets up an Xauth server. OP wants pfSense to act as an Xauth client to a remote server.