I split this off into its own thread. Are you certain this worked on previous versions? It may have been silently rejected / not sent to clients. I can reproduce the config parsing problem here but I can't find any info in strongSwan about that being allowed. It may have been accepted by the old ipsec.conf config parser and now rejected by the swanctl parser. I also don't see it mentioned in the IKEv2 config payload RFC that it would be allowed. If nothing else we could add input validation to reject entering those values since they are now known not to work. I opened https://redmine.pfsense.org/issues/11446 to fix the validation.

Well, for anyone else that may run into this... the problem was that a Firewall Rule is needed. I was wrong to think that the VPN creation took care of that. Firewall Rules, IPsec is where it had to be created.

@velupazhani said in Not able to access Network Printer which is in PFSence: except Network Printer. And does this network printer have a gateway set.. I have seen it countless times on customer sites from very small.. To huge corps with hundreds of vlans - printers don't have gateway set. So no you can not talk to it from another vlan. Had 1 customer - hundreds of printers in the building. Not freaking 1 of them had a gateway.. Only reasons printers worked was of proxy arp set on their core switch.. Bet you beer - printer doesn't have gateway set ;)

@viktor_g i couldnt get anything from that link, could you please guide with more details/

@clarknova we saw this in opnsense as after switching to VTI. SMB stopped working over ipsec. hard to track down. it worked like half a year, then problems started and it was kind of reproducible. pings works, SMB browsing too. SMB access timeout. reverting to classic ipsec solved the issue. i assume we did tunnel VTI back then, although the freebsd bug mentions transport mode. maybe it hurts both modes. why i wonder how pfsense is affected by this open freebsd bug as well. i would like to use VTI soon... https://github.com/opnsense/core/issues/3674

@viktor_g Hello, I've seen that too but it didn't help me. The solution was to reconfigure the vpn to IPsec IKEv2 and everyone is happy.

Hi @morlock , many many thanks for your answer. I already had configured your Phase1 parameters, but I've tried IPSec advanced and gateway ones and It works properly! I've tested different lifetime values, 1hour, 8hours, 24hours... and it seems it works fine! Now I'm going to test if it only depends on IPSec advanced "make-before-break" parameter, just to understand what was going on. I'll provide feedback again. Many thanks mate!

@maelstrom-0 said in Incredibly Slow transmission rates over Site-to-Site IPSEC VPN: I was eventually able to solve it by backing off the encryption levels thanks for the tip. Unfortunately no improvement for me.

@balthxzar We also had this problem and it turns out that the "bypasslan" peer config is used when we have no remote/own ID matching in phase 1. The "bypasslan" config is only used if in the advanced settings the following is active: Auto-exclude LAN address Enable bypass for LAN interface IP Exclude traffic from LAN subnet to LAN IP address from IPsec. As soon as this was disabled our peer config selection failed. With fixing our IDs we got the correct "peer config selection" and PSK worked as expected.

@damo112 said in Clients connect with the same IP address: Sorry I misspoke about ip, what I really meant was that if my ''client number 1'' takes an ip, I disconnect ''client number 1'' and I connect ''client number 2'', is it possible that he takes the same ip of ''client number 1" ? Ah, ok, that's different. Yes, it's possible. The OpenVPN servers assigns IP's somewhat like a DHCP server, although I guess its just takes the first IP out of the free OpenVPN-client pool with IP's. When two clients connect, they don't have the same IP, right ?

Okay, I think i have found the problem, in the IPsec > Pre-shared keys, it's possible that the key you entered is blocking the connection of other workstations. In any case this was the cause of my problem. I share this solution if people have the same problem as me. Bye ! =)

Can no one help me or point me in the right direction?

HI, and can able to help with my issue, please... This was my Task Give In my work as I'm in my training Period the Give to me was site to site vpn configuration between pfsense and cisco asa 5505 Pfsense(router)------(192.168.10.1)--switch--->to pfsense Pfsense------(192.168.10.1)--switch--->to ASA5505 (the to cable give to me was from the same switch (same gateway) lan cable 1Pfsense--wanIP(192.168.10.175) Lan IP 192.168.20.175-DG for my pc lan cable 2 asa -- wanip (192.168.10.150) Lan IP 192.168.30.150 DG for my pc .. this was my set up below I will mention my as cli ASA Version 8.4(2) ! hostname ciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 shutdown ! interface Ethernet0/3 shutdown ! interface Ethernet0/4 shutdown ! interface Ethernet0/5 shutdown ! interface Ethernet0/6 shutdown ! interface Ethernet0/7 shutdown ! interface Vlan1 nameif inside security-level 100 ip address 192.168.30.150 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 192.168.10.150 255.255.255.0 ! ftp mode passive object network obj_any subnet 0.0.0.0 0.0.0.0 pager lines 24 mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 ! object network obj_any nat (inside,outside) dynamic interface route outside 0.0.0.0 0.0.0.0 192.168.10.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect icmp inspect icmp error ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:b4d8c59ed8a5c6015eb9570342028037 ciscoasa# for site to site conf in asa crypto ipsec ikev1 transform-set pfSense esp-aes esp-sha-hmac ! access-list outside_cryptomap_10 remark ACL to encrypt traffic from ASA to pfSense access-list outside_cryptomap_10 extended permit ip 192.168.30.0 255.255.255.0 192.168.20.0 255.255.255.0 ! crypto map outside_map 10 match address outside_cryptomap_10 crypto map outside_map 10 set peer 192.168.10.175 crypto map outside_map 10 set ikev1 transform-set pfSense crypto map outside_map interface outside crypto ikev1 enable outside crypto ikev1 policy 1 authentication pre-share encryption aes hash sha group 2 lifetime 86400 exit ! tunnel-group 192.168.10.175 type ipsec-l2l tunnel-group 192.168.10.175 ipsec-attributes ikev1 pre-shared-key admin123 pls help me