SOLVED!!!! Searching for answers I strumbled on another post that was having the same problem. And it pointed me to a problem in my setup… I had PFS enabled on the pfSense and disabled on the USG. Thanks to those that stopped to help, hopefully this post will help someone in the future. Scot

@jimp Thank you. Perfect explanation and I think you may have solved my issue. I was not doing the P2 segments at the hub correctly. I didn't have any P2 entries with links between remote offices. I kept trying to create them with the hub as the distribution point.

@lguy2000 I didn't try those particular settings yet. I'm testing on 1gb WAN to WAN. Both sides on ATT fiber and only getting about 60Mbps tops. Phase 1 is AES128-GCM, 128 bit with AES-XCBC hash on DH14 Phase 2 is AES128-GCM, 128 with no hash, DH14

What do the lines for the network(s) look like in /var/etc/ipsec/ipsec.conf on both sides? What does ipsec statusall show on both sides? This is probably one of many things fixed by the IPsec swanctl conversion on 2.5.0, but you may not want to make that leap on production systems yet.

I solved it! As suspected the problem was in the second P2 that is dealing with the VPN subnet. Each P2 should have a match on the other site but mirrored. And since I needed: VPN clients connected to Office A to be able to access machines in Office B LAN and VPN clients connected to Office B to be able to access machines in Office A LAN This required a third pair of P2 on both sides. [image: 1578251647497-ipsec_p2_final.png] Thanks @netblues for the ideas!

So looking at the VPN config screen (I use IKEv2), I see under advanced options for Disable Rekey, and Disable Reauth, along with a margintime setting. Is this saying that I just need to select "disable rekey" to make this work correctly??

@jimp This works, thanks! [image: FGTest.jpg]

My first thought is your USB ethernet is misbehaving. How is your IPsec tunnel configured?

If you have them configured on a P1 or P2 they should be proposed and used if needed. You'll need to show the contents of your /var/etc/ipsec/ipsec.conf and the related IPsec logs to tell anything for sure.

I missed an important detail.. Tipology of IPsec is VTI routed

@kidlat020 said in Change IP address: This subforum seems to be the closest topic to my problem. Please move if not. I'm running a net cafe. Somebody from my customer pool was using maphack, and unfortunately it resulted in an IP ban. This means anybody (myself included) is banned from connecting to the game as far as the covered IP is concerned. And yes, my net cafe is under the pfsense area of influence. I tried logging in using a wireless connection (outside pfsense area of influence) and successfully logged in. Even though both were using the same ISP. (if anyone's curious, This game was RGC.) Is there any way to change my IP? My current setup if this will help: pfsense LAN IP: 192.168.0.1 pfsense WAN IP: 192.168.1.10 edit: changing LAN IP or WAN IP solved nothing. this is starting to feel weird. Changing your WAN IP won't do anything as its a RFC1918 address.

@rodak said in IPSec tunnel between two local subnets (no Internet): Is this a proper setup, or my way of thinking is wrong? Yepp, thats perfectly correct ! You can use either IPsec VPNs or a OpenVPN based VPN. The pfSense gives you both options !

Update: I followed this article and set up VPN: link Now, i have a VPN that wotks with my Android phone, but my Windows 10 PC cant connect to it. The Windows 10 log says 788 error when i try to connect to the server. The ipsec log: Dec 23 18:34:38 charon 07[NET] <5> received packet: from 2a01:36d:1000:2bbe::1003[500] to 2a01:36c:1000:2bbe:6e3b:e5ff:fe0a:4d79[500] (368 bytes) Dec 23 18:34:38 charon 07[ENC] <5> parsed ID_PROT request 0 [ SA V V V V V V ] Dec 23 18:34:38 charon 07[CFG] <5> looking for an IKEv1 config for 2a01:36c:1000:2bbe:6e3b:e5ff:fe0a:4d79...2a01:36d:1000:2bbe::1003 Dec 23 18:34:38 charon 07[CFG] <5> candidate: %any...%any, prio 24 Dec 23 18:34:38 charon 07[CFG] <5> found matching ike config: %any...%any with prio 24 Dec 23 18:34:38 charon 07[ENC] <5> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01 Dec 23 18:34:38 charon 07[IKE] <5> received MS NT5 ISAKMPOAKLEY vendor ID Dec 23 18:34:38 charon 07[IKE] <5> received FRAGMENTATION vendor ID Dec 23 18:34:38 charon 07[ENC] <5> received unknown vendor ID: fb:1d:e3f3:41:b7:ea:16:b7:e5:be:08:55:f1:20 Dec 23 18:34:38 charon 07[ENC] <5> received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19 Dec 23 18:34:38 charon 07[ENC] <5> received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52 Dec 23 18:34:38 charon 07[IKE] <5> 2a01:36d:1000:2bbe::1003 is initiating a Main Mode IKE_SA Dec 23 18:34:38 charon 07[IKE] <5> IKE_SA (unnamed)[5] state change: CREATED => CONNECTING Dec 23 18:34:38 charon 07[CFG] <5> selecting proposal: Dec 23 18:34:38 charon 07[CFG] <5> proposal matches Dec 23 18:34:38 charon 07[CFG] <5> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Dec 23 18:34:38 charon 07[CFG] <5> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048 Dec 23 18:34:38 charon 07[CFG] <5> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384 Dec 23 18:34:38 charon 07[IKE] <5> sending XAuth vendor ID Dec 23 18:34:38 charon 07[IKE] <5> sending DPD vendor ID Dec 23 18:34:38 charon 07[IKE] <5> sending FRAGMENTATION vendor ID Dec 23 18:34:38 charon 07[ENC] <5> generating ID_PROT response 0 [ SA V V V ] Dec 23 18:34:38 charon 07[NET] <5> sending packet: from 2a01:36c:1000:2bbe:6e3b:e5ff:fe0a:4d79[500] to 2a01:36d:1000:2bbe::1003[500] (140 bytes) Dec 23 18:34:38 charon 07[NET] <5> received packet: from 2a01:36d:1000:2bbe::1003[500] to 2a01:36c:1000:2bbe:6e3b:e5ff:fe0a:4d79[500] (180 bytes) Dec 23 18:34:38 charon 07[ENC] <5> parsed ID_PROT request 0 [ KE No ] Dec 23 18:34:38 charon 07[CFG] <5> candidate "bypasslan", match: 1/1/24 (me/other/ike) Dec 23 18:34:38 charon 07[ENC] <5> generating ID_PROT response 0 [ KE No ] Dec 23 18:34:38 charon 07[NET] <5> sending packet: from 2a01:36c:1000:2bbe:6e3b:e5ff:fe0a:4d79[500] to 2a01:36d:1000:2bbe::1003[500] (164 bytes) Dec 23 18:34:38 charon 07[NET] <5> received packet: from 2a01:36d:1000:2bbe::1003[500] to 2a01:36c:1000:2bbe:6e3b:e5ff:fe0a:4d79[500] (92 bytes) Dec 23 18:34:38 charon 07[ENC] <5> parsed ID_PROT request 0 [ ID HASH ] Dec 23 18:34:38 charon 07[CFG] <5> looking for pre-shared key peer configs matching 2a01:36c:1000:2bbe:6e3b:e5ff:fe0a:4d79...2a01:36d:1000:2bbe::1003[2a01:36d:1000:2bbe::1003] Dec 23 18:34:38 charon 07[CFG] <5> candidate "bypasslan", match: 1/1/24 (me/other/ike) Dec 23 18:34:38 charon 07[IKE] <5> found 1 matching config, but none allows pre-shared key authentication using Main Mode Dec 23 18:34:38 charon 07[IKE] <5> queueing INFORMATIONAL task Dec 23 18:34:38 charon 07[IKE] <5> activating new tasks Dec 23 18:34:38 charon 07[IKE] <5> activating INFORMATIONAL task Dec 23 18:34:38 charon 07[ENC] <5> generating INFORMATIONAL_V1 request 3049540974 [ HASH N(AUTH_FAILED) ] Dec 23 18:34:38 charon 07[NET] <5> sending packet: from 2a01:36c:1000:2bbe:6e3b:e5ff:fe0a:4d79[500] to 2a01:36d:1000:2bbe::1003[500] (92 bytes) Dec 23 18:34:38 charon 07[IKE] <5> IKE_SA (unnamed)[5] state change: CONNECTING => DESTROYING

[Solved] VPN-->IPsec-->Mobile Clients-->Client Configuration-->Network List: [uncheck] Provide a list of accessible networks to clients

@tbaror said in Tunnel issue with Pfsense on premise to aws: Dec 17 16:27:10 charon 11[CFG] <con10000|6711> looking for a child config for 10.13.0.0/16|/0 === 10.110.0.0/16|/0 Dec 17 16:27:10 charon 11[CFG] <con10000|6711> proposing traffic selectors for us: Dec 17 16:27:10 charon 11[CFG] <con10000|6711> 10.13.0.0/16|/0 Dec 17 16:27:10 charon 11[CFG] <con10000|6711> proposing traffic selectors for other: Dec 17 16:27:10 charon 11[CFG] <con10000|6711> 10.109.0.0/16|/0 Dec 17 16:27:10 charon 11[IKE] <con10000|6711> traffic selectors 10.13.0.0/16|/0 === 10.110.0.0/16|/0 unacceptable Dec 17 16:27:10 charon 11[IKE] <con10000|6711> failed to establish CHILD_SA, keeping IKE_SA Dec 17 16:27:10 charon 11[ENC] <con10000|6711> generating CREATE_CHILD_SA response 53 [ N(TS_UNACCEPT) ] Looks like the AWS side is set for 10.13.0.0/16 <-> 10.110.0.0/16 but your local config is set for 10.13.0.0/16 <-> 10.109.0.0/16. It doesn't match so that child SA (P2) request is rejected.