@Konstanti I'll see what I can do.

Unfortunately it doesn't look like strongSwan will log the ID type. Not sure why, seems like it would be rather useful. Since the fortigate is manually specifying an ID of an unknown type you might have better luck using a "Key ID" string or "User Distinguished Name" type. Put a custom string in the FortiGate side, like "fortigatevpn" and then put the same string on pfSense in the Peer identifier using one of the types I mentioned. strongSwan will automatically use the type most appropriate for the given string in most cases, but if the far side is deliberately using the "wrong" type for values in that field, it might be difficult to force a match using a string which should be a specific (different) type.

Debug 1: Due to the cloud default VPC setup, the default route of the backend hosts are not set to the pfsense gateway. I am able to ping any hosts behind the gateway after setting the correct default route, and vice versa. However, any other services doesn't seem to work correctly. For example, ssh took more than a minute to see the prompt for checking the remote host key, and another minute to prompt for the password. It is definitely not normal to wait for minutes for the ssh password prompt, although ping responded normally. It even connected, but as if it is in slow motion, even worst than an old PBX 128k baud modem rate! I am checking at the firewall rules closely for any other hints, but if firewall is blocking, I shouldn't be able to connect at all? Or is this still routing issue, e.g. the packet is routed all incorrectly?

Ok thx, anybody knows where to configure the P2 entries in a LANCOM Router?

There are no limits on IPsec tunnels imposed by pfSense.

I found the reason why the routing was problematic. My local network is on the network range 10.0.0.0/24. I've created an account for a coworker, his local network range is 192.168.0.0/24. He doesn't need to add routes and he can connect to any server on the other side of the tunnel. The virtual ip pool is set to 192.168.10.0/27. Which can be set VPN -> IPSec -> Mobile Clients -> Virtual Address Pool I've made a workaround: created a bash script: #!/bin/bash vpn_lanip=`netstat -rn|awk '/192.168.10/{print $2}'|head -1` if [[ $vpn_lanip != "" ]]; then route delete -net 10.0.0.0/24 $vpn_lanip route add -net 10.0.0.0/24 $vpn_lanip fi Then created a plist file: /Library/LaunchDaemons/network.watcher.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>network.watcher</string> <key>ProgramArguments</key> <array> <string>/bin/bash</string> <string>/Users/arno/routes.sh</string> </array> <key>WatchPaths</key> <array> <string>/Library/Preferences/SystemConfiguration</string> </array> </dict> </plist> Then activated the network watcher daemon, that performs actions if network changes are detected. sudo launchctl load /Library/LaunchDaemons/network.watcher.plist There is a slight delay for the route propagation of about 10 seconds, but it works for me.

@johnpoz said in How do i revoke a user certificate from PFSense?: when do users get a cert in ipsec? Don't they just use the KEY ID as their username? Never setup ipsec with such login before. I am not really sure what you mean. I create a user certificate using the CA manager within pfsense. The manager points to my own Microsoft CA server. I install that user + root certificate onto my Phone and create an IKEv2 EAP-TLS (certificate) profile within StrongSwan. And normally when i delete the user certificate i cannot connect anymore. With this pfsense installation i am still able to connect. (Delete / Revoke has got the same end result)

IPsec interfaces don't support reply-to yet, so it's not possible to send traffic back down a different tunnel than the one it entered.

Which network you use in p2 for your clients? Local Network have to be 192.168.0.0/19, to route the trafic to all local Networks throu the tunnel. I want to route all trafic throu my tunne, i use 0.0.0.0/0 and no split tunneling option on the clients. If you route only this network, you have do set split tunneling with the right Network + Mask on client side.

Unfortunately, per-interface rules do not currently function for VTI interfaces. It's a limitation in the underlying OS (either in if_ipsec, pf, or some combination of the two). Communication from a subnet like that wouldn't necessarily succeed anyhow, though, because your return routing wouldn't send it back to the "wrong" tunnel. In your example, if "Prefix A" came in from "Site-Tunnel 2" the reply traffic would go back to whichever one had the route on it, likely "Site-Tunnel 1". If you are using a routing protocol (BGP, OSPF) you could filter routes that way as well.

A bit more info, and a question: Based on another topic where traffic was not flowing, I have disabled these params in IPSEC : Advanced Auto-exclude LAN address Asynch Crypto My question... Unlike each of my OpenVPN tunnels on pfSense, I don't see IPSEC tunnel creating an interface to be activated in Interface::Assignments. There is an IPSEC interface, and I have enabled it and given it a pass all all all rule in Firewall. But there is not another specific to the tunnel I configured. Does the tunnel not need an interface? If it does, what am I missing to enable it and to give it a Firewall rule to permit IP?

AES-GCM is the only exception to the way the drop-down works.

The traffic would have to hit a proxy on pfSense1 for that to work. The problem is that anything on pfSense2 will need to see a source address of pfSense1 or the traffic won't return to pfSense1. So you could have haproxy on pfSense1 accept and hand off the requests to the second reverse proxy. If you were using OpenVPN then it's possible to port forward directly across, since OpenVPN will work properly with reply-to if you make the right set of rules on assigned interfaces. That doesn't work with IPsec VTI yet.

@viktor_g Any other suggestions?