Thanks for your answer Jim! I'll try IKEv2 and the OpenVPN Clients then!

Today we were able to test. It just works! Lex

Hi, Firewall -> Virtual IPs -> Create an IP Alias. .10 as interface IP .11 as Virtual IP In the ipsec configuration you can chosse interfaces and virtual IPs. We are using diffrent IPs for IPSEP, OpenVPN and NAT - works fine! Regards

Hi All, thanks for the answers. We decided to take IKEv1 … Now it is working. :) Regards, M

@BlueKobold: If this will not help oyu out then you should better disable at home the VPN part if you are connecting to your home network internally. Really?  So because I didn't understand what you were talking about, you quit helping??  How RUDE!!!!

Reading again the whole documentation, experimenting almost everything, SOLVED by changing under Phase1 General information Interface From WAN to 1.2.3.4 (Carp WAN IP) Can't understand why, but I started to try everithing… now it does not go online (internet) but it pings remote ips.. and I have to understand if it's possibile, and how, to resolve some address using the remote local dns... but it's another story. F

Found out the trouble when another poster had a similar problem.  My error was that I had imported the server cert and not the CA cert.  Imported the CA cert into Trusted CA store and now progressing with authentication.

Solved it myself So I thought I would solve the last piece of the puzzle but it seems authentication failes for my user in radius (not the password of the user). Not sure why failing. Tried to change several modes like PEAP but same problem must be something with the user but what!!! I hade choosen password encryption MD5 for my user in FreeRadius. Strangely i though this was how the password was stored in FreeRadius but it seems that IPSEC couldn't resolve my password when it was encrypted. Sound wrong needs to be investigated.

There are endless different reasons you can have the same symptoms with IPsec. Please start a new thread with your logs and status output if it happens again, as it's almost certainly not the same root cause so that's the best bet for getting help.

I had a very similar problem last time. I could ping, but almost no other services work through the tunnel. I assume you has the right firewall settings in place? Especially when NAT-T is used for your IPSec connection, you surely can get into trouble with MTU. Do you use NAT-T? Go to IPSec -> Advanced Settings and set the Maximum MSS to 1350. This fixed the problem for me. Give it a try.

There is no mechanism to send routes over L2TP. It either sends all, or the client has to maintain its own routes.

They don't show in the GUI, but you'd see them in /tmp/rules.debug or the live pf rules (e.g. pfctl -sr)

Thanks for the reply! Both CA and server certs were generated in pfSense. I even tried deleting them and generating new ones. I'll try switching up the Phase 1 settings in a bit, see if that changes anything. I'll also take a looks to see what certs ipsec thinks is loaded.

I have this working, will post the configs for anyone's reference..