The problem was indeed the NAT/BINAT setting in the associated phase 2. When I set it to a single IP address, the traffic exits the local pfSense via the WAN. When I set it to None, the tunnel works but without the NAT obviously. How do I enable NAT correctly here?

Here is the answer: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/accessing-firewall-services-over-ipsec-vpns.html

@lifespeed said in Safe IKEv2 Configuration for pfSense and Windows 10 and macOS: tup, but maybe that isn't needed? VPN/IPsecPre-Shared/Keys: I don't think it's necessary as long at the trusted key is installed. I automated that in an earlier script (which I'm still adapting, but the cert portion is relevant). I have another version which maps out multiple subnets, I just don't have access to it from here. $Name = "NAME" $Server = "HOST" $DnsSuffix = "DnsSuffix" $RemoteNetwork = "xxxxxxxx/24" $Cert = @' -----BEGIN CERTIFICATE----- CUT AND PASTED KEY HERE -----END CERTIFICATE----- '@ ## Add the cert $EncodedCert = [system.Text.Encoding]::UTF8.GetBytes($Cert) $pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $store = new-object System.Security.Cryptography.X509Certificates.X509Store(“Root”,”LocalMachine”) ## Download the cert file $pfx.Import($EncodedCert); $store.Open("MaxAllowed") $store.Add($pfx) $store.Close() ## Add the connection try { Add-VpnConnection -Name $Name -ServerAddress $Server -TunnelType "Ikev2" -EncryptionLevel "Required" -AuthenticationMethod Eap -SplitTunneling -AllUserConnection -RememberCredential -PassThru -DnsSuffix $DnsSuffix } catch [Microsoft.Management.Infrastructure.CimException] { ## Ignore } Add-VpnConnectionRoute -ConnectionName $Name -DestinationPrefix $RemoteNetwork

I have a 150mbps symmetric connection. Without vpn speedtest shows the line speed but when vpn is enabled the speed drops considerably. In both tests, I am connected at the LAN side. Without VPN [image: 1583465997704-screenshot_20200306-090605_speedtest.jpg] With VPN [image: 1583466009068-screenshot_20200306-090504_speedtest.jpg] Is there a way to improve IPSec speed? What encryption cipher should i use to get best speed on Android?

This seemed to have helped with the DNS issue.

It became up after a while, I didn't change anything. Issue resolved.

That was only true for IKEv1 tunnels. IKEv2 tunnels can carry both. And VTI is not really a "tunnel" but routed IPsec so it's different yet.

Is the site-to-site tunnel using IKEv2? If so, check the "split connections" box in the P1 settings.

Tutorial: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev1-xauth.html but i had to change some options: [image: 1583178397196-ios13.jpg] [image: 1583178401665-ios132.jpg]

I think I found the solution ! In the outbound NAT. I'll check.

Sigh, ignore this post...it looks like the router I'm using doesn't support IPSec.

@nbegley I'm not sure why you disable PFS Disable Rekey Disable Reauth or set Responder Only. The more change you make to pfSense's default settings the less chance you'll keep tunnels connected. According to my test (10 years ago), Draytek is compatible to pfSense, but I suggest you do your own interoperability test. -- Set margin time = 30s. -- Set short lifetime, like 30m Phase 1 and 15m Phase 2. -- Do not set Responder Only. Don't Disable Reauth, Disable Rekey or turn off PFS. -- (Just for the purpose of testing) Use different ciphersuit for Phase 1 and Phase 2 (say, DH group 15 and 14 respectively). If the tunnel can't be established or stops working after 1h, problem is yours. If it stops after 2 days, go after your ISP.