I wanted to see if I could get help doing the same idea but for my mobile clients. For example Current topology Network A 172.16.0.0/24 Network B 10.0.0.0/24 Network C 20.0.0.0/24 I want to grant specific clients access to the specific networks via IPSEC Client A P2 Network 0.0.0.0/0 Default route access to all networks Client B P2 Network 10.0.0.0/24 Access to Lab A network Client C P2 Network 20.0.0.0/24 Access to Lab B network

I have working IPSEC configuration between pfsense and palo alto How can i help you?

@hugh_jarse, thank you very much for this detailed post. I'll need some time now to work through it :P

When you imported the certificate, did you also import the key?

I have many S2S between pfSense & ASA. Posting your configuration for both will help. To get the ipsec configuration from pfsense run: cat /var/etc/ipsec/ipsec.conf In the ASA, look for it in your running config.

This is solved. Turns out I didn't check "disable rekey" under the advanced config on the Phase 1 settings in pfsense.

It can be done but with a couple of caveats, the main problem is that you have to pretty much turn off the firewall over the tunnels (!!!) due to #4479 Also, strongSwan cannot currently establish 2 tunnels to the same destination IP from different interfaces (because the gateway selection is based on hidden static routes). To overcome this you can do the other way around, first GRE and then encrypt the tunnels (IPsec-over-GRE) or even set up another tunnel inside the other one. Finally, you can use OSPF to handle the failover but beware there is a long going unresolved issue with Quagga in which some routes are incorrectly marked as kernel routes and never cleared on restart, rendering the configuration useless. You may have better luck with frr. Two more points, remember to tweak MSS clamping appropriately to avoid performance issues, and also you can use GIF instead of GRE to save on some bytes. You can also achieve all the same thing with OpenVPN + OSPF by the way.

Update - you were absolutely right! Switching DH groups fixed it. Wish I had spotted that, thank you!

At this point I've been having a conversation with myself on this topic but I'm determined to provide some valuable information to someone who will inevitably come across the same dilemma that I have. So the past few nights I've been doing a lot of reading.  WAN Accelerators, alternate protocols etc.  Tonight I came across an article about transferring data across ipsec tunnels.  One of the items the author mentioned was different speeds using different protocols.  One of the protocols was http.  Hmm.  My NAS at home has a http front end and I remembered that it did some form of file transfer.  I gave it a shot, uploading a 17.7 gig rar archive in 3 minutes and 11 seconds.  Here's the tail end of the transfer:  As you can see, it achieved full line rate 100+ MBps [image: http_zpsqd9natel.jpg] I see there are a number of windows programs out there allowing for http transfer.  Hopefully I can find a command line version or better yet some that might actually map a drive or at least allow me to send files to my NAS.  That would be super.  This could be just what I'm looking for to finally saturate my ipsec vpn for file transfer.  Sure beats a four thousand dollar WAN Accelerator. Roveer

perhaps using captive portal somehow?  the tunnels can be automatic but no use of devices on any of the ports without portal authentication?  I've never used captive portal before… I'll have to go read up on it.

Whats the status about this?

IPsec requires forwarding of UDP 500, ESP, and maybe UDP 4500. Ubiquiti's forum would be the best place to ask about what to do on the edgerouter.