Hi @morlock , many many thanks for your answer.

I already had configured your Phase1 parameters, but I've tried IPSec advanced and gateway ones and It works properly!

I've tested different lifetime values, 1hour, 8hours, 24hours... and it seems it works fine!

Now I'm going to test if it only depends on IPSec advanced "make-before-break" parameter, just to understand what was going on.

I'll provide feedback again.

Many thanks mate!

@maelstrom-0 said in Incredibly Slow transmission rates over Site-to-Site IPSEC VPN:

I was eventually able to solve it by backing off the encryption levels

thanks for the tip. Unfortunately no improvement for me.

@balthxzar We also had this problem and it turns out that the "bypasslan" peer config is used when we have no remote/own ID matching in phase 1. The "bypasslan" config is only used if in the advanced settings the following is active:

Auto-exclude LAN address
Enable bypass for LAN interface IP Exclude traffic from LAN subnet to LAN IP address from IPsec.

As soon as this was disabled our peer config selection failed. With fixing our IDs we got the correct "peer config selection" and PSK worked as expected.

@damo112 said in Clients connect with the same IP address:

Sorry I misspoke about ip, what I really meant was that if my ''client number 1'' takes an ip, I disconnect ''client number 1'' and I connect ''client number 2'', is it possible that he takes the same ip of ''client number 1" ?

Ah, ok, that's different.

Yes, it's possible.
The OpenVPN servers assigns IP's somewhat like a DHCP server, although I guess its just takes the first IP out of the free OpenVPN-client pool with IP's. When two clients connect, they don't have the same IP, right ?

Okay,
I think i have found the problem, in the IPsec > Pre-shared keys,
it's possible that the key you entered is blocking the connection of other workstations.
In any case this was the cause of my problem.

I share this solution if people have the same problem as me.

Bye ! =)

Three year old post saved the few remaining hair on my well scratched head. Such a simple fix - thank you!

Can no one help me or point me in the right direction?

HI, and can able to help with my issue, please... This was my Task Give In my work as I'm in my training Period

the Give to me was site to site vpn configuration between pfsense and cisco asa 5505

Pfsense(router)------(192.168.10.1)--switch--->to pfsense
Pfsense------(192.168.10.1)--switch--->to ASA5505 (the to cable give to me was from the same switch (same gateway)

lan cable 1Pfsense--wanIP(192.168.10.175) Lan IP 192.168.20.175-DG for my pc

lan cable 2 asa -- wanip (192.168.10.150) Lan IP 192.168.30.150 DG for my pc .. this was my set up

below I will mention my as cli

ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.30.150 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.10.150 255.255.255.0
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 192.168.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b4d8c59ed8a5c6015eb9570342028037
ciscoasa#

for site to site conf in asa

crypto ipsec ikev1 transform-set pfSense esp-aes esp-sha-hmac
!
access-list outside_cryptomap_10 remark ACL to encrypt traffic from ASA to pfSense
access-list outside_cryptomap_10 extended permit ip 192.168.30.0 255.255.255.0 192.168.20.0 255.255.255.0
!
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 192.168.10.175
crypto map outside_map 10 set ikev1 transform-set pfSense
crypto map outside_map interface outside

crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
exit
!
tunnel-group 192.168.10.175 type ipsec-l2l
tunnel-group 192.168.10.175 ipsec-attributes
ikev1 pre-shared-key admin123
pls help me

I solved the problem. After installing the patch, I added Pre Shared Key on the IPsec side and the problem was resolved.

@mr_jinx

bro is that possible to installed pfsense server via vmware workstation?

hi all can i ask if is that possible when you used ipsec vpn in pfsense . im using vmware workstation in my laptop. when i tried to connect to another pfsense which is located to another site it doesn't work for me please help

My laptop connect to isp then i installed vmware workstation at my laptop then setup pfsense server.

https://forum.netgate.com/topic/144614/mobile-clients-with-otp

Last post.

@cre8toruk I'm having a similar issue with 2 different sites with a 5100 and 7100. They're both on the same ISP, and a tech there has indicated there's a firmware glitch with the modems affecting VPN / VoIP traffic... Everthing else works, pings through vpn, vpn doesn't drop, internet slows down a lot - but still up. SMB and Domain Auth seems to be affected the most. Reseting the modem seems to fix the issue for a while, but then it'll stop working for SMB shares usually some random time later.

Have you had any luck finding your issue?

@barronc Yes but they look like log spam that would do nothing to help solve a problem at "normal" layers. I troubleshoot IPsec on pfSense all day every day and the aforementioned log settings give me everything I need.

@gonecamping

I am a flipping idiot. ;-)

If I put the WAN IP as the NAT/BINAT address and then LAN as the local network, it worked. P2 still works and traffic flows from LAN to our customer network.

I did mistake when i was doing the packet capture and i realized that too late, anyway when i capture more the 100 packets (default) i see ISAKMP and ESP under WAN. Now the only question is why the rule for matching IPSEC is not working on the WAN, or precisely why it is not matching UDP 500 or UDP 4500 or ESP. Is there anything that could prevent that?

I was able to work around this by utilizing a VTI tunnel instead, using that VTI as default gateway, in parallel with static route for 192.168.0.0/24 to head to home router.

Bi-directions firewall rules allowing WAN/LAN traffic.

...adding that I now see the same "query policy ... in failed..." messages for working VTI tunnels, so that message may be a red herring as far as this issue.

@jimp I don't know about the ID, I have used the same config long time and it was was made following the netgate/pfsense guide how to setup ipsec. It's working now after clearing and re-enter the config :)

Thank you for taking your time to answer 👍

@stephenw10 any ideas?

@yathus said in Multiple VTI IPSEC tunnels with /30 on same 192.168.X.0 ?:

May be it's because one my client is not on latest version ? (2.4.4-p2)

That is likely the case. Some older versions didn't properly respect the configured subnet mask for VTI interfaces. Update both to a current version and try again.

Bump. Still haven't been able to figure this out.

Maybe an example of a running Cisco pfSense VTI tunnel connection with dynmaic routing helps:
Cisco-pfSense with VTI
Unfortunately in German but ist pretty self explaining.