Thanks Konstanti. I reload Outband and start to working. Thanks a lot!

@sgw You can always create a static route to the server network , but it is better to do everything correctly so that the server itself sends this information to the client )))

Nowhere close to enough information to help. Detail the various parties by IP address/network. You might have to diagram it.

If you can ping the far side pfSense interface address but not the hosts behind it it is almost always a firewall on the target host itself (think windows firewall). That or their default gateway is not the pfSense firewall. Since traffic works the other way that pretty much rules that out.

Thanks As far as I can tell the WebConfigurator CA is added to me device. Not sure why this works on the LAN and Wifi, but not VPN. I'd appreciate any help with this. Thanks

Thanks!, I've found a similar solution that doesn't require partner side intervention. I've added customer network in OpenVpn : Tunnel Network 10.0.2.0/24 Local Network: 10.0.1.0/24, 172.25.0.0/16. Then I've added Phase 2 with NAT: Local Network 10.0.2.0/24 NAT: 10.0.1.0/24 Remote Network: 172.25.0.0/16 It works!

OK matched the Encryption Algorithm and Hash algorithm and PFS key group again on both pfsesne and cisco and added Lan ip of Cisco to advanced config on pfsese to ping. and it all now works, can ping from the firewall on both sides to local internal pcs. but now need to figure out routing from local subnet of site A to local subnet of site B and vice versa

I can't track the other side, that is the Vendor. I don't have control or access to that. I can track the connection the company location that fails, but it is up at the moment. No problems right now.

I've tried restarting the tunnels but still get zero packets through. Is this a routing issue or something else?

@Konstanti I attach a network diagram of my setup to make it clearer. This is what is weird, when I connect to the VPN from my phone on 4G (option 1 in the attached diagram), I don't get errors any errors just timeouts. I can access everything on the internal LAN and internet, except, I cannot login into certain webservices. When I enter my password and press login, it just stalls - the browser says it is "thinking / loading" and then nothing happens. After a long time I get a "Server not found" error in the browser. However, when I am on my phone on the internal wifi over the VPN (option 2), then I click login and get redirected instantly to the dashboard of the webapp. I can also reach the webapp from outside my network as I have a reverse proxy (option 3), and this works fine. The reason I want to set up the Mobile IPSec VPN is that I want to close down the reverse proxy I have set up so that I can only access my webservices over the VPN and not anymore expose them directly to the internet. [image: 1549268967746-7037c544-acec-48e5-bea3-45c0e02ae4b2-image-resized.png]

I'm assuming this is a feature that just isn't supported by pfSense yet then. That would be a safe assumption where VTI was just introduced in 2.4.4 I'm going to test the native IPv6 P1 and see if that changes anything, if not, I'll look at some other manner of carrying and distributing my IPv6 routes. I may just end up using a GIF tunnel for my IPv6, and I should still be able to use OSPF6 on the GIF interface.

Yup. Windows 10 requires manual manipulation of the client routes in powershell. It's an extremely helpful feature.

I click disconnect & reconnect a few times and with some luck out of 6 clicks it will register/enable the 4 P2's.

Fixed it, Layer 8 issue... somehow mixed up the public IP addresses of the phase 1 on the azure side. Thanks for the help though :)

The current defaults should be good. The current defaults are IKE SA, IKE CHILD SA, and Configuration Backend to Diag. Everything else Control.

Thanks, it increased to about 27-28mbps average with peaks of 30mbps Any more tips to squeeze a little more speed? Thanks!

@vistatech said in routing specific packets through IPSEC gre tunnel: 10.1.1.20 Hey And why is outgoing NAT used ? Try disabling it . I have a similar scheme and everything works fine without NAT. The question such, Pfsense can ping a host 10.1.1.20 ?