@viragomann
Ops!
Thanks will correct

Well I believe I sorted it at this point.

Because the old FW has multiple IPsec tunnels, a few non VTI, I couldn't enable IPsec Filter Mode.

While looking over logs, I noticed that my traffic was entering VTI interface and leaving IPSec interface.

So I created a floating rule for asymmetrical routing issues. All I needed to do was alter my IPSEC rules to match any/any TCP:Any, State:Sloppy.

@michmoor I won't argue with you, be polite. That's all.

@adebisi Firewall > Rules, IPsec

Rules on that tab govern what connections are allowed into your firewall from IPsec tunnels.

There is no way to know what might be required at the other side. You'll have to work with them on that.

@michmoor

Fairly new and green with working with pfense. What should I change the update source for the Neighbours BGP ?

@viragomann Well, since I couldn't get the default one to work, I tried VTI and it worked. Not sure what I did wrong with the other method but I did find VTI a bit more like the WG tunnels I have set up in the past. With the gateway and routing settings at least...

@dnacom The next release would usually include the patch. You can either leave the patches installed and upgrade (will then still show the patch as installed in system patches) or revert the patches before upgrading and then upgrade as normal.

Hope that makes sense

@keyser Thank you for your reply! Yes, I need those options for split routing.

The Windows VPN client is just capable of class based routing and ignores pushed routes. So per default it just adds a class based route to the remote net and ignores everything else except ip address.

Here is an excerpt from the Strongswan documentation:

Split Routing since Windows 10
Microsoft changed the Windows 10 VPN routing behavior for new VPN connections. Option "Use default gateway on remote network option" in the Advanced TCP/IP settings of the VPN connection is
now disabled by default but can be enabled if desired. Fortunately Windows sends a DHCP request upon connection and add routes supplied in option 249 of the DHCP reply.

Sample configuration file for dnsmasq:

dhcp-vendorclass=set:msipsec,MSFT 5.0
dhcp-range=tag:msipsec,192.168.103.0,static
dhcp-option=tag:msipsec,6
dhcp-option=tag:msipsec,249, 0.0.0.0/1,0.0.0.0, 128.0.0.0/1,0.0.0.0
where 192.168.103.0 is your (internal) network. It pushes two separate routes which cover the entire IPv4 range. Gateway could be anything (set to 0.0.0.0 in an example) as it is ignored by Windows. Note that you can’t ignore DHCP routes in Windows.

Strongswan Documentation for Windows clients

In my opinion this can only be achieved with the dhcp plugin. So for supporting Windows clients without configuring something manually, you need dhcp.

@viragomann said in IPSec VPN Client and access to office server:

The settings are wrong. You need to state
local network: 192.168.109.0/24
remote: 192.168.89.0/24

Remember to configure the second p 2 on the remote site as well with exchanged networks.

Many Thanks, this is good setting, now work both Phase 2 and VPN Client has access to server 192.168.173.0/24 and to Synology 192.168.173.0/24 site.

@movIT

You are probably limited by the GUI.

You could go here : Status > System Logs > Settings
and change

c5dad0b9-bcbc-4136-8867-484d78c846fc-image.png

to something a bit bigger.

Check also this :

4280c79f-7433-4ea4-b1c1-6f317c100f08-image.png

where you can set overall log file size.
If you have many G bytes to spare, you can make these files a bit bigger.
On very small devices : be carefull.

But you can also apply the "IT" way : you don't care about GUI ... go native access right away. Go to the source.
Use the console, or, like everybody else, use the SSH access, and look her /var/log/ as that is the place where logs are stored on nearly every "computer" on planet earth.
You'll find the system.log file.

Btw : typically, I have 20-30 lines a day in the System log file.
So "only the last 5 minutes worth" is pretty strange : what is happening in there that your pfSense logs that much ? ?
Massive logs == normally : an indication something not-ok is going on.

@netgate-powdered559
And the page works if you access it directly from the lab and from the internet if the latter is even possible?

@optimusprime I apply in this option:

d15f6b0e-dc4f-4612-9973-a628ee43d373-image.png

8d1c5b5b-af44-4ef6-aa5f-1b5f3cfd3100-image.png

@bkhiatt
Are all phase 2 shown up as connected in Status > IPSec?

Please post Status > IPsec > SPDs of all three sites.

@SteveITS said in MacOS VPN import:

Most of my Mac experience was on System 6/7. :) The double click started the import but didn't open anything.

Ouch! Really ???
So welcome and try “the *nix with a human face”! ;)

@isaaclondo09
If only there was logs provided to help us help you