Ah that might do it. Cool.

@jimp Good to go against ASR1000 with that patch - tunnel is no longer bouncing. There's a secondary tunnel on the same box not coming up, but I think that's on their side (P1 up, P2 not returning any traffic though pings are going out). Regardless, I'll drop in next week after our maintenance window to let you know if they've fixed it. I don't have a good test case against other ipsec site-to-site or mobile tunnels on this test box - the only one with those is on prod :) I will do my best to spin something up on this so that you can be more confident in the patch going into -p1 :) Thanks Jim!

I just wanted to follow up on this thread quick and mention that I get did routed IPSec (VTI) to work with Google Cloud Platform using dynamic routing. For the P2 IP addresses, one just has to to use the link-local IP's provided for the BGP session (e.g. 169.254.40.1 and 169.254.40.2 in my example) and things will work fine and routes get exchanged between Google Cloud and pfSense. This article provided me with the hint: https://cloud.google.com/community/tutorials/using-cloud-vpn-with-checkpoint

@dotdash is right. If the other side has a matching network they have to configure a nat. Maybe have a look on this page. Its originally posted in german but maybe google translator works: https://translate.google.de/translate?hl=de&sl=de&tl=en&u=https%3A%2F%2Fsysadms.de%2F2018%2F09%2Fsite-to-site-ipsec-vpn-bei-gleichen-netzen%2F Kind regards

Thanks @jimp . Well, bummer. I don't think this is going to be possible since I don't really have any way to edit the routing parameters for the VPN gateway (Cloud VPN) on the other side. I suppose to make everything more straightforward, I could just install pfSense on a GCP compute instance and go from there. I saw this guide out on the net, but is there an official installation available as well on how-to available for Google Cloud? https://blog.kylemanna.com/cloud/pfsense-on-google-cloud/ Thanks again.

Thanks for the reply. That helps.

I changed on the Phase 2 on both ends: Local network: "Network" and not "XYZ subnet" And i disabled Hardware checksum offload. Now i am able to reach the shares at least of one of the windows 10 machines. The other Machine still has a bitdefender firewall running, that i try to turn of, to see if that also works. EDIT: I was able to turn of the Bitdefender firewall again. Voila: Shares are accessible through Tunnel. So for all Virtual Machine driven pfsense installations on Qnap: Turn of Hardware checksum offload and in IPsec tell him exactly what networks you are running. Do not trust the "XYL subnet" option.

what about just bring up another ipsec tunnel to the other location(s) that would need to access?

DOH!! Thanks for the second pair of eyes. It was the remote network was set to address instead of network. Changed that and all is working well. :)

So, after trying a lot last weekend I finally have this working. As always, RTFM helps a lot. One problem was that I used the server cert instead of the CA cert in the client, another problem was that I somehow put in 0.0.0.0/24 instead of 0.0.0.0/0 as described in the manual. In hindsight I really don't know what I was thinking.

My issues were related to the transport network. It seems regardless of the transport network's mask (we tested with /30) it treated it like a /24. Once we moved to using a separate full 24 for each IPSEC tunnel OSPF came right up. Thank you for all of the help, this made my life a lot easier.

I pushed a fix for that just now, give it a try when the update shows up That particular error was because the aliases section of the config was empty. I saw a few more similar pitfalls and fixed them all.

@godfried84 said in ipsec tunnel with nat at 1 site: Site A Phase 1 My Identifier: IP address: manually set to WAN IP of Router/Firewall of ISP site B Why would you set my identifier to be the IP address of the other side?

Figured out a shellcmd was hanging after update that was stopping the service from starting on it's own.

It's all routed, you can setup as many static routes as you want or even using a routing protocol like OSPF or BGP. No need to specify the networks to carry in IPsec at all.