Hello, Thread necromancer here with the same question. I have successfully followed this guide: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html#Create_Client_Pre-Shared_Keys, and have had an IKEv2 P1 setup for years. I have a segmented network and allowing LAN access to loop back to the WAN interface was creating odd exceptions that allow a LAN user to have access to services that would be blocked by normal WAN rules, so I explicitly block LAN to WAN_address from a floating rule. I now want to allow IKEv2 from LAN into secure segments but I can only bind my P1 to one interface. No worries. I got to setup a second P1 on accessible interface and run into the same thing as the OP. I presented with a 'remote gateway address' option and no EAP options. It's as if pfSense is presuming any additional P1 are always going to be a client as a oppose to the already created server. I may be thinking about this wrong, any help appreciated.

Hi, almost cross posting here . Because this need some visibility so other don't have to waste hours finding out that Cisco may needs this option with multiple phase 2 for a stable connection. Ref: https://forum.netgate.com/topic/132546/ipsec-phase2-problem-pfsense-checkpoint a slight hijack of this thread from me. Split Connection was the solution to my problems too. IKE2, multiple phase 2 and Cisco ASA don't play well together (single phase 2 had no problems). This particular connection has now bean stable, 14h and counting. Brgs,

Hi ladies and germs. Split Connection was the solution to my problems. IKE2, multiple phase 2 and Cisco ASA don't play well together (single phase 2 had no problems). Split Connection is what got my connection stable, 14h and counting now. A link from the pfsense UI to the docs or a hint in the description on the option that Cisco probably needs this when running multiple phase 2 had been very helpful and saved me a couple of hours. Brgs,

I'm going to have to google some of the things you talked about. I set reauth = no and rekey = no. Its been about 2 days and do far so good no reboots needed and no duplicate tunnels creeping up.

@Perforado thanks for the reply! The dual gateway is on the Sonicwall, not the pfSense. What I am wondering is how to best leverage Sonicwall failover to a site pfSense IP.

Solved.

I could not find my previous post, I thought it was not posted properly, now I found it but can not remove this one... please Admin, remove it and pardon my mistake

Correct. You can choose from either EAP-TLS which has certificates in both directions (client and server) or EAP-MSCHAPv2/EAP-RADIUS which has user auth + clients validate server certificate. There isn't a way for both to work currently. (And even if strongSwan supported it, I'm not sure any clients do)

no idea sorry, as jimp mentioned 0.0.0.0 is used for other stuff inside pfsense, you need to wait for the dev to find a better solution or use dyndns

@jimp Yup, i was just typing up a response saying I found that while reviewing my post. It's always the little things. thanks for guiding me through the troubleshooting steps! edit: It also was set to "LAN Address" instead of "LAN Net"

@jimp said in IPSEC VTI Interface neighbor MTU 1500 is larger then ipsec2000´s MTU 1400: affe8a552ef1f7b8e59f3b60fd1421aa46f45b03 Done. Thank you.

Was able to get internal clients connecting just by adding a host override for my vpn domain name to point to pfsense e.g. 192.168.1.1 instead of trying to come in via the WAN IP Not sure what I achieved in the end, but happy days..

No wonder it's broken. Every tunnel should be using a unique set of identifiers. Otherwise nothing can be distinguished from each other.

@unsichtbarre No, I don't think you can create a phase 2 VTI and a legacy phase 2 under the same phase 1. You would need to create a new VTI based IPSEC tunnel between sites A and B and use that exclusively. Although it might be possible to run parallel IPSEC tunnels if the endpoint IP is different at one end or the other.

I figured it out! Because of the way that my gateways are configured, I had to set up a firewall rule for Site B's subnet on Site A's router under IPSec that has a gateway that is the same as my outbound NAT.