Yes, i know i can use gateway group for local side. I meant remote side, sorry for being unclear.

That's just the source IP of the traffic it's initiating, has no relation to the identifiers. It will never show anything other than the actual IP assigned to the system in that particular log, it can't just source traffic from an IP that it's being NATed to elsewhere. The problem is somewhere else, beyond that in the IPsec logs what do you see?

I can understand your frustration but the curt comments you have received are correct.  Phase 2s don't work like that - IPSEC is not routing and it's certainly not a "cloud" that you simply bung packets into and hope that they know where to go.  Also ANY packets that do not match both parts of the P2 will not go over the tunnel.  This is especially important to remember if you try to daisy-chain sites together. eg, three sites: A – B -- C To fully connect these you could do this with this number of P2s and the parenthesized (bracketed) number of P1s: A: AB, AB(C)                (1 x P1) B: BA, BC, B(C)A          (3 x P1) C: CB, CB(A)                (1 x P1) I think I got that right and that's a very simple star with 3 sites only.  Add a site D, only connected to C and the permutations become horrendous.  With a mesh instead, where each site is connected to all the others and adding D (each pair is 1 P1 and a P2): A: AB, AC, AD B: BA, BC, BD C: CA, CB, CD D: DA, DB, DC ie (n-1)^2 Phase 1.  With the daisy-chain there is a different relation which someone could perhaps chime in with and for the simple case we could work out the fewest number of P1s and 2s required.  At the start of that discussion we'll be assuming a spherical tunnel 8) .... or not.  Daisy chaining beyond two hops is really silly and even two hops should only be used if needed to get around a proprietary (Safe@Office anyone?) or technical limitation to the number of P1s available on a device.  It depends on more links working and is horrible to work out. This far I have deliberately shown the worst case, although I haven't even started on multiple subnets at each site.  Simply multiply the P2 numbers above by the number of subnets at both sites involved - yes that's effectively squaring them.  eg 2 subnets at A and B = 4 x P2s and 2 P1s in total.  Hmmm 8 sites and say 4 VLANs each is going to take some time unless there are some shortcuts.  Nominally we have: (8-1)^2 = 7 * 7 = 49 P1s 4^2 = 16 P2s per P1 => 49 * 16 = 748 P2s Now we get to the reasons why you might want to think about your network design before you start cranking out IPSEC on such a setup. There are at least two strategies that can help reduce the sheer number of P1s and P2s: 1. Do all sites need to reach all other sites? If you have an HQ site + satellites where all the sat sites only need to get to HQ then probably no. This reduces the number of P1s to 2(n-1) = 2 * (8 - 1) = 14 (down from 49) in this example. However, if you have an AD DC at each site, you must fixup AD S&S so that the DCs can all sync properly.  The KCC is shit at working out things for itself.  See MS's docs for site bridging and all that bollocks.  If you are using eDir (unlikely, sadly) or OpenLDAP it's easier to deal with.  Other systems may need to be dealt with in various ways. 2. Can we combine all the subnets at a site into one for the purposes of IPSEC? Careful choice of subnets at each site can reduce the number of P2s from n*m (n is the number at one site and m is the number at another) to 2 P2s per P1 - this can really scale!  For example: Site A has 20 VLANs: 10.1.{1,2,3 ... 20}.0/24 Site B has 50 VLANs: 10.2.{1,2,3 ... 50}.0/24 With IPSEC we setup the P1 in the usual way to join site A and B but for P2 we can refer to Site A's subnets as 10.1.0.0/16 and Site B's as 10.2.0.0/16 for 1 P2 at each end, or 2 P2s in total.  As an added bonus we can add another (253 minus the number of subnets in use) subnets at each site and it will still work. Results for 8 sites, each with 4 subnets: Random set up => (n-1)^2 P1 and (n-1)^2 * sum(n * m) P2 My notation for the P2s is not rigorous and is missing some subscripts and stuff. 49 P1s and and an eyewatering 748 P2s Simplified networking and collapsable subnets => 2(n-1) P1 and 2(n-1) P2 14 P1s and 14 P2s - Lovely OK, so we don't have your network layout so can't really design it for you.  However if it was me, I'd probably start a process of network renumbering, given that you seem to be seeking a magic bullet of VPNs - this isn't one.  It should not be a really big deal.  You should be making good use of DHCP where applicable and DNS as well to remove many obstacles to doing this sort of thing.  However I have had to fix far too many bloody networks that were .... *&^^%$£ ...... whatever. You should now have more than enough information to decide what to do. Cheers Jon

@andra.pocherebox: Well… Being stubborn led me solved by myself!  :D :D To whole it may interest I found out that to redirect all traffic through VPN, you gotta set up two different Phase2 according to the picture below. Then both your LAN traffic and Internet traffic will be routed correctly through the VPN endpoint. Hope this can help! Cheers Here's another Kudo coming from a long-time pfSense user.  I also got bit by going from 2.0.1 to 2.2.2.  IPsec "worked", but the route-all-traffic-for-free feature went dead and for all my Google searches I couldn't figure out how to fix it.  I'm primarily using IPsec from IOS and OSX devices, and was wondering why the hell DNS resolution of internal hosts wasn't working.  It wasn't until I deep-drilled some more that I figured out it was a default gateway problem, which finally led me to this post (which I found only by manually browsing the forums!). So thank you, thank you, thank you! pfSense mods: this information needs to be part of the IPsec troubleshooting page!  This is obviously a stumbling block for anyone unknowingly crossing the racoon->strongSwan transition, and I got a lot of Google hits asking how to fix this, but precious few answers.

I have moved from PSK to certificates so I can't easily do screen shots for PSK. However if you post shots of your current config, I will be happy to try and help you. Alternatively, I can provide XML fragments for PSK if you are comfortable with that approach. I'm currently traveling, so it may be a day or two before I can respond. @dstroot: dennypage: I have tried unsuccessfully to replicate your setup.  Any possibility of screen shots?  I just can't seem to get it to work.

Hi jimp. Thanks for the response. Tried that a few days ago and it doesn't work either :/ I have checked the freebsd trunk out and can see that the last changes to the source code for IPsec and ESP is from 2000/2001 and the RFC that describes TFC is from 2005. So i guess some development in freebsd is needed to make this work.

Outbound NAT is the way to accomplish that.

Well… I've been trying to find a way for this configuration: 1 ipsec server 1 openvpn client Only solution I see is to use openvpn only, right?

That seems really excessive. Could you PM me the output of "ipsec statusall"? 2.2.3 coming in the not too distant future, a month or less maybe. But not sure it'll solve whatever you're seeing without knowing more about it.

Have you read the release notes on changes from 2.1 to 2.2?  Have you read other posts on this forum?  Some config examples might help. Anyway, check your phase 1 settings at both ends.  If NAT is involved at either end then that may have worked 2.1 to 2.1 but won't with 2.2, you will have to set the identifiers accordingly. There is an IPSEC debugging guide here https://doc.pfsense.org/index.php/IPsec_Troubleshooting .

Thank you, I did a test and worked fine. Best regards Kostas

@ttblum: I believe pfSense does have the feature to NAT over IPSec in this way. There is a BINAT option in the phase2. I haven't tried using public IPs, but it should work. @ttblum: I don't have very many public IPs available to use, can I pick some random IP addresses from a foreign country's IP space that we're not likely to communicate with? That's not gonna work, they have to be your public IPs.

I have the same exact issue.  pfSense ipsec to Cisco ipsec.  It's configured to use BINAT.  I have a pingable host in the field Automatically ping host.  But pfSense does not keep the VPN alive.  I have to start pinging from a host on the network before the VPN will establish.

Well, got it working. I tried over from another pc, which has a true IPV6 address. I can now setup the IPv6 OpenVPN tunnel. Also I can now access IPV4 resources on the LAN, Through the IPv6 tunnel. I gave up trying through Teredo

You can use the ping host functionality which will trigger that.

Normally you have imported even the private key in pfSense right? Can you make sure of that? Also can you check if the private key has been put on /var/etc/ipsec/ipsec.d/private?

Who can help me?

Is this the issue I've been having? https://redmine.pfsense.org/issues/4719