You could also do this by supernetting the phase2 if your local/remote networks are all within a non-overlapping range. In your example you could use 192.168.4.0/22 (192.168.4.0 <-> 192.168.7.255) for your local subnet on the phase 2, and 192.168.8.0/21 (192.168.8.0 <-> 192.168.15.255) for the remote subnet on the ipsec tunnel. You would then just create firewall rules at the ipsec level to govern the /24 subnets within those networks and how they talk to each other.

I am disappointed in this forum because not one suggestion was offered. Usually, community support for stuff like this is pretty good. Regardless, I figured it out myself. This thread can be considered closed.

Alright, that’s clear. Thanks Jimp for the quick reponse.

Yes, IPsec works fine with HA, the IPsec tunnel is bound to a CARP VIP, and whichever node holds MASTER status on the CARP VIP will carry the tunnel.

Jimp, Yes problem is resolv, after deleted route static, removing the VTI gateway and reboot. Thanks for the helps fred

That's up to what the Draytek supports. DES has been broken for ages, it should never have been in use in a modern environment. If the Draytek supports AES-128 or better, use that. Failing that, at least use 3DES.

Possibly, yes. With a single tunnel there is a chance you'd see improvement. Beyond that it's difficult to say without testing it.

There is Regedit Entry to change and then you have to create the VPN Adapter over Powershell. https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients For IOS you need a mac (dependig on your setup). I try to make a whole Guide for a setup when i have time. Regards Alitai

Without a public ipv4 address i see no chance.

That's a clear answer. Thanks Jim! :) Then i have to wait until my provider supports ipv6 native. It should possible with 2 pfsense then. Many Thanks Have a nice evening. Regards Alitai

Just found out that this should not be there: Remote Network (If using a Tunnel mode): This option (only present for non-mobile tunnels) specifies the IP Address or Network that exists on the other (remote) side of the VPN. It operates similarly to the Local Network option mentioned previously. Removed everything and now the field is not longer there. Problem solved! Thanks Regards Alitai

Makes sense. And thanks for posting your solution. Many people end up fixing their problems and don't come back to update their post to help other people in the future.

@derelict I agree with you, since I have configured others tunnels with different suppliers to Oracle without use that requirement, but I saw some intermittencies. Thank you, Ernani

Finally I have resolved with the installation of various packages: network-manager-strongswan (I have to download and install the 1.4 version because the stock package, 1.3, has a bug) strongswan-plugin-eap-mschapv2 strongswan-plugin-eap-radius strongswan-starter libcharon-standard-plugins libcharon-extra-plugins libstrongswan-standard-plugins libstrongswan-extra-plugins Remember to restart the client before try the connection. Marco

Try IKEv2 and another my/peer identifier than ip address. I choose a KeyID tag and created names that identified the two sites.