Aha! I think I've got it. By switching to VTi mode I was able to make a gateway interface for it, and then do firewall rules. Not as simple but it works.

@lfoerster said in Possible IPSec routing issue: So its more intelligent to place the static route NOT on 10.10.0.251 here, but on the default gateway both .251 and .2 devices (and probably all in the 10.10.0.0 segment) have configured. Of course you were correct. I put a static route in the default GW on our side and it started to work immediately. I do have to admit it gets me a little confused though, since I've been using static routes on clients before. And, while it says it's a headache when administering multiple clients (which we don't), this article says it should work: https://docs.netgate.com/pfsense/en/latest/book/ipsec/site-to-site.html Anyway, thanks a million!

@jimp thanks for the tips. I think that's a bit complicated for our needs certainly right now and certainly last minute like it currently is. Any ideas why I can't create another ipsec tunnel and point it at the other dsl connection ? I mean I can but the authentication options don't allow me to point it at my radius. I only have Mutual PSK and Mutual (something else) as options in the drop down.... I had hoped I could set up another ipsec tunnel tied to the second DSL connection, but it doesn't seem to let me.

@lfoerster thank you very much sir.

And here is the solution to that working with 2 different VPN protocolls and keeping them transparent to both sites: https://administrator.de/content/detail.php?id=534696&token=421#comment-1420225 and also here: https://administrator.de/content/detail.php?id=534696&token=421#comment-1420401 That works without any errors !

@lfoerster Thank you very much, that's perfect. Everything works perfectly! I still had to do an "f-route" as administrator to make it work. As well as a reboot of my "client" machine, of the Ipsec service but also of each tunnel. You are an extraordinary person, thank you very much.

Thank you sir. Sadly I have only access to the web interface. So I have found that I can see that output initiating the connection from: Status -> Ipsec -> connect and then reading the logs in : System -> System Logs -> Ipsec. Thank you for your answer though that is really useful if I will be able to ssh into the device.

Thanks, I will look into setting up OpenVPN instead.

Unfortunately we were trying to connect a Draytek Vigor 2830 which doesn't seem to support IKEv2. But we couldn't get it working with the non CARP IP anyway. Thanks for your help

Thanks for your reply but O've already read this page and my problem doesn't apprear on it. I've just found the solution, it's just a bug in Windows 10. You just need to add a reg key like this : REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f Restart you computer and all work like a charm ! And honestly for me L2TP/IPSec is the best clientless VPN solution (my users can't install client so OpenVPN is not a possibility). Regards,

bump

@jimp And it came back. I'm wondering if it as something to do on the client site (behind a comcast/xfinity residential router). The server direct on a 1GB's dedicated connection. I'm guessing that either my workstation (windows 10) or the router is somehow fragmenting the packets or something. It gets spurts where it hits like 2-5MB/sec then back down to exactly 355KB/sec What would be a good way to test this on the Windows 10 client side of things? I don't know much about the tools for testing fragments or ipsec.

@mobydick426 said in Mobile IPSec VPN using RADIUS and Windows NPS service: / password are not recognized. NPS didn't log anything on eventlog and Windows 10 logs an error 691 Did you ever find a resolution to this. I am seeing the same issue. Radius users test out fine in diagnostics but I can't get any users to authenticate. If I used mschapv2 with the user/preshared key, everything is good (so I know ikev2 is working as expected). when I flip mobile client and phase 1 to radius then nothing works.