@jimp said in IPv4 VTI tunnel - set network mask: It is intended to assume /30 there since it's point-to-point. Though I could see how /31 might work for some. We recently did fix a bug here, https://redmine.pfsense.org/issues/10418, but that was after 2.4.5 was created. Ok, then I know why. In 2.4.5 you could change the mode to tunnel, change the type to network, then fix the mask, then switch back to VTI and save. We might have to revisit https://redmine.pfsense.org/issues/10418 before the next release yet. The work-around works. I can live with that for now. Thanks for the hint. Edit: the assigned interface does not seem to come up. I changed this particular tunnel to be a /30 to check. The interface does not show up when calling "ifconfig" from the command line. It can be assingned under "Interfaces / Interface Assignments". The IPsec tunnel shows as up in the IPSec status tab. -> New thread for this issue as I see it with a separate tunnel as well: https://forum.netgate.com/topic/152246/interface-ipsec6000-not-being-added-for-vti-tunnel

If this is in IPsec tunnel mode, then you'll need a route setup like https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/accessing-firewall-services-over-ipsec-vpns.html to nudge the firewall to use the LAN as the source address when sending traffic through IPsec from the firewall itself. VTI mode IPsec would work much better, but the traffic would be sourced from the VTI interface address so you'd need to account for that in the firewall rules/other config on the remote end.

Read the warning at the top of the page: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/l2tp-ipsec.html

@viktor_g L2TP Log file is attached l2tp.txt I think it depends on the load on the channel, but not on the number of connections. At the now moment, 21 users are connected.

Finally found a fix for this. Adding a route as suggested by @corradolab was unnecessary as it turns out. This problem was irking me to no end as all other traffic was working well except SMB. I'd tested HTTP, FTP, ping e.t.c. to the LAN and all were working fine - just not SMB, and only SMB on Windows (macOS clients were fine). I thought I might be running into this bug; https://redmine.pfsense.org/issues/8964 But it actually turned out to be something in the way Windows authenticates to the server. To fix, you need to go to the Windows Credential Manager and add in the credentials for the SMB server before trying to connect. After that it all works fine.

The problem seems to be the macOS and iOS clients. I found the answer in this thread here; https://forum.netgate.com/topic/113422/ikev2-child-sa-beware-phase-2-dh-on-macos-ios The answer seems to be to enable Perfect Forward Secrecy in the Apple Configurator profile.

Another question. I have a client that connects from the outside, and needs to connect with a vpn to the existing ipsec. What vpn should I create on Pfsense? L2TP? Is there any guide? Thanks

@orangehand said in IPSec pfSense to Unifi USG: As I posted elsewhere, you CANNOT test the VPN via the UI Ping utility. It always fails. You need to test the tunnel using endpoints. I am assuming this is a small bug? Not a bug. If you are testing an IPsec tunnel and want to test from LAN to LAN you have to tell ping to source using an address in the LAN. If you leave it at the default it will follow the routing table and attempt to leave WAN (in most cases). So pick the LAN or whatever local interface has an address which will pass through the IPsec tunnel. So it's doing exactly what it was told to do. That may not be what you wanted it to do, but it has no way to know that.

ITS WILL WORK, BCZ OUR COMPETITOR ALREADY DONE THAT

Probably because we fixed this: https://redmine.pfsense.org/issues/9243 It worked before because, technically, both sides were misconfigured :-)

That is not related to this thread, start a new thread for each of those questions separately.

This seems to be somewhat expected with VTIs and nothing to be too concerned about https://forum.netgate.com/post/795763

[image: 1585304017390-c62931b1-b5a5-4152-98d7-656347d1867d-image.png] "Leftauth" c'est bien pour l'authentification en local? La valeur pubkey est-elle bonne?

wan mtu is set to 1500 mss clamping it set to 1380 I have offloading turned off AES-NI is not active I'll try aes-gcm Cpu's are at 3-5% so not doing much.