Config can differ as initiator vs. responder. UDP 500 traffic could be blocked in that direction but not the opposite. Regardless you need to look at the Juniper side and see why it's not replying.

The Juniper is first not replying, and second, sending a delete. No way to tell anything useful from that side's logs in that case, check the logs on the Juniper side.

I am trying to do the same but confused as to your explanation.  Any screenshots would be great!

2.3 is not affected :)

Seems like pfSense auto adds a NAT rule (default "Automatic outbound" is selected in Outbound "Firewall: NAT: Outbound"). I changed Outbound to "Hybrid outbound", and added an exception "Do not NAT" with the subnet used for L2TP; see attachment. Image is manipulated to mask my real IP/mask, instead using 8.8.8.0/29 as the example in my previous post. [image: outbound.png_thumb] [image: outbound.png]

IPsec tunnels need NSA/GCHQ approval before coming functional, I had that several times in the past. openVPN the apparently crack on-the-fly, so they "work" out of the box… ;-)

Sorry, my bad. I did this several times but the "branches" were in fact OpenVPN tunnels, and they were connected through an IPsec tunnel between the main sites. On the basis of how all this work, I don't think you can do what I mentioned earlier (although I never tried) Probably your best bet is to use some dynamic DNS so you can establish a direct Ph1 between the branches, since you'll be able to ditch the 0.0.0.0/0 requirement

The plot thickens a bit more and I get more and more out of my depth of field. I have toggled the following value: net.inet.ip.redirect = 0 (default 1) and communication between the Diskstation and Azure has been restored. Have I set myself up for more problems by altering the above flag? Thanks in advance!

You can't "route" it in the traditional way but depending on what you're trying to do, it may still be possible. It's all up to the Phase 2 networks in IPsec. You can force all traffic over the tunnel from the LAN (local P2 net = LAN network, remote P2 net = 0.0.0.0/0) but that means everything from the LAN will be forced over IPsec. Once it hits the other side you'll have to pass it in the rules, NAT it outbound, etc.

I believe your real subnet must match your binat subnet. Try making your local subnet 172.16.10.1 or something to match.

Update. I updated the firmware this broke it completely. So I removed the vpn config and added it back in and this worked again. with the same results. add a new user and it brakes. any ideas?

I have two different sites with pfsense. At my place I have also pfsense. Trying to connect with ipsec vpn as a client to either site always results in error 809 All 3 places have simple one lan setups

@jamesbond: I also have a very similar problem with slow traffic over IPsec tunnel, I am pretty newish to networking  but want to know if this is normal behavior for a IPsec connection Site A – Data center has 100/100mb in and out Site B – Home, has virgin media fibre broadband 150mb line gives me around 10mb upload max. I have setup a PfSese server 2.2.6 at data center, my home network has a Draytek 2860. I have a windows 2012 server in DC and when copying a file using windows explorer from home using a windows 7 machine I get speeds of around 1.5MB when copying the file to DC I have also tried using PfSese at home to see if the draytek router was the issue, made no difference in speeds. I have also tested IPsec using draytek router to draytek router noticed very poor speeds when copying a files across using explorer. I have tested copying files across using FTP getting similar speed to windows explorer I have used iperf to test speeds beteen A-site and B-site and showing up as decent bandwidth. Perhaps I am not understanding something or some kind windows SMB limit etc ? CLIENT Connecting to host 172.16.1.10, port 5201 [  4] local 192.168.50.102 port 50364 connected to 172.16.1.10 port 5201 [ ID] Interval          Transfer    Bandwidth [  4]  0.00-1.00  sec  1.38 MBytes  11.5 Mbits/sec [  4]  1.00-2.00  sec  1.25 MBytes  10.5 Mbits/sec [  4]  2.00-3.00  sec  1.38 MBytes  11.5 Mbits/sec [  4]  3.00-4.00  sec  1.12 MBytes  9.44 Mbits/sec [  4]  4.00-5.00  sec  1.00 MBytes  8.38 Mbits/sec [  4]  5.00-6.00  sec  1.00 MBytes  8.39 Mbits/sec [  4]  6.00-7.00  sec  1.00 MBytes  8.39 Mbits/sec [  4]  7.00-8.00  sec  640 KBytes  5.24 Mbits/sec [  4]  8.00-9.00  sec  1.00 MBytes  8.38 Mbits/sec [  4]  9.00-10.00  sec  896 KBytes  7.34 Mbits/sec [ ID] Interval          Transfer    Bandwidth [  4]  0.00-10.00  sec  10.6 MBytes  8.91 Mbits/sec                  sender [  4]  0.00-10.00  sec  10.5 MBytes  8.81 Mbits/sec                  receiver iperf Done. SERVER SIDE Server listening on 5201 –--------------------------------------------------------- Accepted connection from 192.168.50.102, port 50363 [  5] local 172.16.1.10 port 5201 connected to 192.168.50.102 port 50364 [ ID] Interval          Transfer    Bandwidth [  5]  0.00-1.00  sec  1.16 MBytes  9.71 Mbits/sec [  5]  1.00-2.00  sec  1.38 MBytes  11.6 Mbits/sec [  5]  2.00-3.00  sec  1.33 MBytes  11.1 Mbits/sec [  5]  3.00-4.00  sec  1.13 MBytes  9.44 Mbits/sec [  5]  4.00-5.00  sec  1.09 MBytes  9.13 Mbits/sec [  5]  5.00-6.00  sec  954 KBytes  7.81 Mbits/sec [  5]  6.00-7.00  sec  986 KBytes  8.07 Mbits/sec [  5]  7.00-8.00  sec  653 KBytes  5.36 Mbits/sec [  5]  8.00-9.00  sec  1020 KBytes  8.35 Mbits/sec [  5]  9.00-10.00  sec  795 KBytes  6.51 Mbits/sec [  5]  10.00-10.10  sec  130 KBytes  10.9 Mbits/sec [ ID] Interval          Transfer    Bandwidth [  5]  0.00-10.10  sec  0.00 Bytes  0.00 bits/sec                  sender [  5]  0.00-10.10  sec  10.5 MBytes  8.73 Mbits/sec                  receiver –--------------------------------------------------------- Server listening on 5201 Actually i think I'm getting confused here, the file transfer i get using explorer is roughtly 1.5MB/s 1 MB/sec = 8Mbps, so 1.5MB/s x 8 = 12Mbps, which kind of means there is no problem i just lacked basics foundations binary a network guys explained this to me which kind does add up.

Hi, thanks for the response. I do though. On both sides, I have the following: ID Proto Source Port Destination Port Gateway Queue Schedule Description IPv4 * 172.16.10.0/24 * 172.16.20.0/24 * * none IPv4 * 172.16.20.0/24 * 172.16.10.0/24 * * none Is it indicative of something that on the working side, the rule matched does not appear to be one of these I manually added? ih