@jimp Thank you for your clarification. You saved me time on testing this. I guess I have to try a more difficult way.
@luckman212 I found the same tutorial, it looks like it describes pretty much the steps we need to go through to set up dual-wan.

@unsichtbarre

Install the iperf package at both ends. Use that to determine what your baseline end to end speed really is. Now run it over your ipsec tunnel. If there is a substantial difference then that needs looking into.

@derelict said in IPSec local network subnet size and NAT size error:

@mamawe As far as I know that type of NAT has never been valid on an IPsec tunnel. You can do 1:1 or Many:1 but not Many:Some_Other_Size_Many.

Maybe it wasn't clear from my answer.
I used Many:1-NAT and 1 address for our side of the VPN traffic selector.

The last two sentences referred to the peer VPN gateway.

Some implementations allow to negotiate a smaller traffic selector in phase 2 as was configured (1 address instead of a subnet). With these you don't have to change anything at the peer VPN gateway.
If the peer VPN gateway insists on using the correct traffic selector, you have to have the peer VPN configuration changed.

@betahelix Possibly
What does the ASUS documentation say about S2S?
What configuration attempts have you done? What do the logs show when you try it?

Figured it out. I had to create a firewall rule on the Netgate to allow traffic from the TPLink LAN Network exclusively. I had thought using the "LAN net" as the source would suffice, guess not.

@frika

Issue with ipsec routing

Maybe you can tell us some more details about your IPSec connection?
Which machines are these? Both pfSense?
Routed IPSec or traditional phase 2?
What shows Status > IPSec?

Show the config.

@frika issue resolved. In order for the outside routed to gain access I had to extend the subnet of the Ubuntu server-2 (ubuntu server-2 and mikrotik have to be within the same range/subnet).

@gassyantelope Our issues was on any add or change to an IPSEC configuration. The Status, IPSEC page was very slow as well, up to a minute to load. Now loads in <1 sec. 2.6.0 definitely fixed all our IPSEC setup and modify 504 errors.

@jok said in IPSec tunnel ping initialization:

Hello. I have set up a tunnel between two sites. The tunnel establishes connection perfectly.
But I obtain a strange behaviour:
If I ping from a PC1 from site A to a PC2 in site B, the ping not respond.
If I ping inmediatly from the PC2 from site B to the PC1 in site A, both pings start working.
The same with all the computers.
Some ideas? Thanks!

Hi! What rules? I have the same exact problem

https://redmine.pfsense.org/issues/12645

@konstanti These are the rules. I'm using port 1600 for the GUI. Is there anything wrong? In IPsec I have added the VPN network of 10.3.200.0/24
IPsecrule.png FWrules.png

@amrogers3 Yes, I have IPSec working just fine with Windows 7 -> 10, MacOS, iPhone and Android phones all on the same Mobile IPsec setup on a pfSense.

Mind you though - i believe I remeber there were some issues that you had to be very carefull about on 2.4.5 because it was less than capable of supporting the lastest standards.

I would strongly recommend you upgrade to 2.6 and implement your IPsec as a IKEv2 setup. Works beautifully with all the clients, and the only major drawback is in enterprise size networks because Netgate has not implemented named IP pools to assign clients to with Radius returned class info. So all clients are treated the same because you cant separate them by IP unless you create static IP return rules pr. User from radius.

@keyser Just bumping this thread out of Interest.

Does anyone know if making IPsec Road warrior “usable” in larger corporations is actually on the roadmap from Netgate, or will it just be stranded at “one pool, one ruleset for all VPN users” going forward?

The Framed-IP-Address is not a solution in larger networks due to the massive maintenance issues it brings.

@vicedriver i have the same issue on 2.6 dynamic dns client, is not updating no-ip record and the vpn clients cannot connect.

The workaround is i have configure this pfsense as vpn client, so it can connect to my static ip pfsense and gain routing to itts interface. After that, i press the button save & force update to renew.

faf4bf3a-259d-44ea-a93e-145e35feb95f-image.png

Appeared to be a states clearing issue. Please, disregard