That looks fine. The other side will create a tunnel for: Local:192.168.68.0/24 Remote: 192.168.172.0/24 There will be a 1:1 mapping between 172.16.10.0/24 and 192.168.172.0/24 on your side If you connect from 172.16.10.135 on your side they will see if coming from source 192.168.172.135 on their side. If they connect to 192.168.172.23 they will actually get 172.16.10.23 on your side. You cannot ping the 192.168.172.10 address directly because it does not actually exist on the firewall itself. It is only used for NAT through IPsec. You will have to test using traffic that is actually flowing through IPsec. Pinging 192.168.172.1 from the other side (which will actually ping 172.16.10.1 on your firewall) should work as long as it is allowed by the firewall rules on your end and you are sourcing it from something in 192.168.68.0/24 on their end.

When I make an IPsec between two pfSense routers I can ping both sides of the tunnel from the pfSense UI. Are you sure you don't still have suttle config error or issue?

Perfect works a treat, thank you @Derelict

Issue solved in the end. Solution was to route WAN out on OPT1 (internet access) and add rules to allow only tunnel traffic via the IPSec wall.

@JeGr said in P2 subnet overlap: So I could probably have two phases with identical remote network (say 192.168.0.0/24) for two different customers with different local networks (each customer its own project network) and as they are in different P1/P2 combinations they wouldn't interfere with each other? That matches exactly my use case! Too be honest, there already was some remote subnet overlap. Normally I would ask the other end to do some NAT before IPSEC to prevent overlap, but I missed it in a couple of occasions and it just seemed to work. I asked just to make sure if it was supposed to work that way.

i think there is but there is always someone else that can do it for you :) AES Performance per CPU core for TLS v1.2 Ciphers (Higher is Better, Speeds in Megabytes per Second) ChaCha20 AES-128-GCM AES-256-GCM AES-128-CBC AES-256-CBC Total Score AMD Ryzen 7 1800X 573 3006 2642 1513 1101 = 8835 Intel W-2125 565 2808 2426 1698 1235 = 8732 Intel i7-6700 585 2607 2251 1561 1131 = 8135 Intel i5-6500 410 1729 1520 1078 783 = 5520 Intel i7-4750HQ 369 1556 1353 688 499 = 4465 AMD FX 8350 367 1453 1278 716 514 = 4328 AMD FX 8150 347 1441 1273 716 515 = 4292 Intel E5-2650 v4 404 1479 1286 652 468 = 4289 Intel i7-2700K 382 1353 1212 763 552 = 4262 Intel i7-3840QM 373 1279 1143 725 520 = 4040 Intel i5-2500K 358 1274 1140 728 522 = 4022 AMD FX 6100 326 1344 1186 671 481 = 4008 AMD A10-7850K 321 1303 1176 685 499 = 3984 AMD A8-7600 Kaveri 306 1246 1108 648 470 = 3778 Intel E5-2640 v3 303 1286 1126 585 419 = 3719 AMD Opteron 6380 293 1203 1063 589 423 = 3571 AMD Opteron 6378 282 1138 986 561 406 = 3373 AMD Opteron 6274 232 1054 926 524 376 = 3112 Intel Xeon E5-2630 247 962 864 541 394 = 3008 Intel Xeon E5645 262 817 717 727 524 = 3047 Intel i7-2635QM 151 989 881 564 404 = 2989 Intel Xeon L5630 225 701 610 626 450 = 2612 Intel E5-2603 v4 236 866 754 382 274 = 2512 AMD Opteron 2382 249 651 485 215 150 = 1750 Intel i7-950 401 256 218 358 257 = 1490 AMD Phenom 965 404 84 63 282 198 = 1031 Intel Core2 Q9300 231 126 133 221 161 = 872 AMD X4 610e 225 59 44 198 139 = 665 Intel Core2 Q6600 173 141 79 108 77 = 578 Intel P4 3Ghz Will 109 26 23 55 43 = 256 Intel ATOM D525 98 51 43 28 20 = 240 Snapdragon S4 Pro 131 41 - - - = 172 ARM Cortex A9 73 24 - - - = 97 Testing Notes: LibreSSL 2.5.0 ( ~ OpenSSL 1.0.2d) FreeBSD 11 ; Clang LLVM compiler AES-NI acceleration enabled if allowed by the CPU Speeds in megabytes per second (MB/s) per real cpu core 8192 byte blocks Five(5) test runs, the average speed reported Snapdragon and ARM Cortex values reported by Google Developers

@flimadigital said in IPSEC VPN WITH NAT S2S: This ip has a configured NAT that takes everything from 192.168.249.29 and plays to the network 192.168.200.0/24 I don't exactly understand what you mean by this but I assume the client wants your clients to connect via a single IP (192.168.249.29) so it can create firewall rules accordingly. To do that, you have to NAT your connection in your phase 2 settings. Your clients P2: local network: 192,168.200.0/24 remote network: 192.168.249.29/32 etc. etc. Your own P2 setting: local network: 172.16.0.0/16 NAT setting enabled with "address" selected: 192.168.249.29 (/32) remote network: 192.168.200.0/24 Hope that clears it up and I understood correctly that you want to NAT to a single IP.

After month of a working vpn my HDD was destroyed and I had no backup, I used the bad thing to turn it into something good - a clean pfSense and a perfect setup. But now I have some trouble with the Encryption. I currently use for phase 1 : AES 256bits SHA384 DH:20 And for Phase 2 : AES 256bits SHA384 DH:20 Is this secure enough? When I try to follow the tutorial it doesnt work. The Hash algorithm is also grey in Apple Configurator when I chose AES-256 GCM. Where is my mistake?

@0daymaster set MTU to 1380 or 1400 on both sides pfSense supports AES-NI and cryptodev accelerators see https://docs.netgate.com/pfsense/en/latest/hardware/cryptographic-accelerator-support.html SG-3100 and above NetGate appliances have crypto accelerators: https://store.netgate.com/pfSense/systems.aspx

@jimp good to know, thanks jimp.

@Derelict said in ASA 5505 / pfsense only one Phase 2 traffic passing at a time; swaps: You absolutely need split tunneling enabled to do multiple IKEv2 selectors to an ASA. The ASA is the reason that checkbox exists in the first place. So leave that enabled. I figured as much and haven't turned this off.

It seems that your IPsec network addresses not NATed to WAN interface IP You need to create appropriate NAT rules

I give you a hint: https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients AES-256-CBC and MODP2048 Regards Alitai

@awebster Yup, that works wonderfully. Just did it, confirmed what our docs were suggesting. Now to have a chat with that peer armed with sufficient evidence. :) Thanks for all the help on this!

I try change mode from tunnel IPv4 to Route (VTI) but after change IPsec not connect.

I would start here.

Just create both phases of an IPSec tunnel in one. Settings are pretty intuitive. Then do the same at the other end, matching and reversing the relevant settings. Then test using endpoints, not the UI