Understood for the default strip level of the system patches package. This worked also for us and we now have a working 2.4.4 system. Thanks jimp!

Many thanks for this. I have solved the issue and managed to get this all working. For the benefit of the forum. Here is what I needed to do. Create a CA in firewall A Create a self service server certificate on firewall A using CA on firewall A with the DN=firewall A Distinguished Name and Alternative name of the external IP of firewall A. Create a self service server certificate for firewall B using CA on firewall A. Export CA and cert of firewall B from firewall A. Import CA and cert for firewall B on firewall B. Ensure that my identifier and peer identifier are ASN1.

@aamdevan said in Site to site vpn using virtual ips: Site 1 lan 192.168.1.0 default gateway 192.168.1.253 virtual network 192.168.20.0 Site 2 lan 192.168.2.0 default gateway 192.168.2.253 virtual network 192.168.15.0 No idea what you mean there by virtual network. Others might be able to grok it. I might need a picture drawn.

To answer my own question now: VTI tunnels cannot be set up with 0.0.0.0 as the remote peer, you must use an IP address or domain name.

You can try that but if it expects an actual IKEv2 EAP password that isn't going to work. pfSense does not have a way to setup IPsec EAP auth for site-to-site tunnels or outgoing IPsec connections.

Thank you, I missed that part when looking in the manual...

No, though I would expect Aggressive mode to allow main to work (since it's more secure), but clearly it isn't working there given that error. You can't pick both main and aggressive in a single P1, and there isn't a way to define more than one mobile P1.

In the P1 settings set NAT Traversal to force. That will put forceencaps = yes in the config for that tunnel.

Start your own thread.

I found it configured the encryption settings properly for phase 1 when the configuration for phase 2 was done. Thanks for the follow up. The issue was just me not configuring the VPN properly.

C2811 is not Cisco ASA but try to follow this guide: IPsec between pfSense and Cisco ASA: Setup cross vendor IPsec VPN sometimes is tricky, due differences in protocols implementation. There are several important nuances here: Do not use auto-negotiation at all. Set certain parameters manually. Usually it is aes128-sha1 and pfsgroup 2 or 5 Make sure P2 settings describes exactly the same networks, because ASA demands IPsecProxyID has to be the same on both devices, one is composed from P2 networks, so that they must be the same. E.g. local:10.0.0.0/24 remote:10.1.0.0/24 on one side and local:10.1.0.0/16 remote:10.0.0.0/24 on another is wrong, even formally network connectivity is possible for them in some way. Cisco ASA uses list of policies for matching possible policy. This might make additional problem. Set certain policy on top of list, e.g. esp-aes128-sha1 pfsgroup 2 has to have 1st sequence number.

Thanks, i needed this and could make it worked too.

Here is my solution; The vpn connection is used to call webservices (soap) of the remote site. To check every connection I created a derived class of SoapHttpClientProtocol from which webservice references are derived and edited all service references and drived them from new class NWSoapHttpClientProtocol. C# code public class NWSoapHttpClientProtocol : SoapHttpClientProtocol { protected new object[] Invoke(string methodName, object[] parameters) { try { return base.Invoke(methodName, parameters); } catch { RenewLocalIP(); return base.Invoke(methodName, parameters); } } private void RenewLocalIP() { try { ProcessStartInfo processStartInfo = new ProcessStartInfo(); processStartInfo.FileName = "ipconfig"; processStartInfo.Arguments = "/release "; processStartInfo.WindowStyle = ProcessWindowStyle.Hidden; Process process = Process.Start(processStartInfo); process.WaitForExit(); processStartInfo = new ProcessStartInfo(); processStartInfo.FileName = "ipconfig"; processStartInfo.Arguments = "/renew"; processStartInfo.WindowStyle = ProcessWindowStyle.Hidden; process = Process.Start(processStartInfo); process.WaitForExit(); EventLogger.Log(LogType.Information, MethodBase.GetCurrentMethod(), "Renewed Local IP"); } catch (Exception ex) { while (ex.InnerException != null) { ex = ex.InnerException; } EventLogger.Log(LogType.Error, MethodBase.GetCurrentMethod(), ex.Message); } } } InvokeAsync methods of SoapHttpClientProtocol can also be implemented.

No, you cannot use it with ALTQ. You could use limiters, however.

No idea what the Mikrotik will do but, yes, both sides need to support it. Set a maintenance window, try it, and see.