can you share P2 subnet/IPs of both end, and firewall rule configured on IPSec interface - both ends,

@rsdu Even though the documentation states that firewall rules are added automatically, firewall log shows that incoming traffic is blocked by the "default IPv6 incoming block" rule. I added UDP Port 500 and ESP to the ruleset and there we go ...

@Mr_JinX system logs............ ipsec logs........... Unless you didn't provide the logs on purpose its impossible to say why anything happens anywhere.

After taking the screenshot, and recognizing the mismatch between the ports, I've updated the PHASE1 settings on both ends, specifying just the NAT-T port. [image: 1721305805900-0dbb0d4a-70c8-496a-87dd-bee9fa740865-image.png] Now, the ports looks coherent. SITE A [image: 1721305847630-5387557b-d330-43ec-a494-e44119f1e484-image.png] SITE B [image: 1721305874011-a0791832-6b78-4a3a-a053-f749822d43b5-image.png] Now ping works :) [image: 1721305914479-996ddfcd-d96a-4b60-9bb5-f194f3ed1fa9-image.png] [image: 1721305938523-08a81d89-236c-44e0-8ecc-26dc19d27d4e-image.png] Still open the question on why this port mismatch happened.....I've lost like 40 hours on this

@viragomann Thanks for helping me. Your tip worked for me.

@lifeboy When editing the Phase one and Phase 2 settings, only one encryption settings is enabled in both: AES256 and using SHA256 with DH14: [image: 1721142730850-72a1546e-02d3-4f89-bebe-3fc688c05aec-image-resized.png] [image: 1721142765204-937960d9-5daa-465f-a6f4-630ecdc079ac-image-resized.png]

@viragomann Hello @viragomann Please see details logs on attachment filelog-ipsec-details-pfsense.txt Thank you for your help Regards

turns out, it was me. i mistakenly upgraded the secondary node to 2.7.2, but forgot to upgrade the primary node and it was still 2.7.0. HAsync was not working due to this error, so this was not a pfsense problem, it was a me problem :)

@michmoor i've founf the problem. When my p1 have multiple p2. It always getting disconnected. I dont know why its happening on latest pfsense version.

@viragomann Before routing the traffic of Server, I would like PFSense01 and PFSense02 to ping on the VTI interfaces, because from the screenshot that I showed before on PFSense01 there are 0 outbound packets, and I don't now why

Forgot to mention Site A uses Cox Cable and Site B uses Comcast.

On the Fortinet router make sure you have the necessary firewall policies and the source/destinations for each policy are set up correctly. Please also reference my post on this thread: https://forum.netgate.com/post/1169622 The correct way to set up hub/spoke topology in multi-platform setting would be use 0.0.0.0/0 routing via IPSEC interfraces. However, this was broken in 24.03 and I'm afraid it will be broken in 2.8.0 CE as well, despite this functionality being there for years and working flawlessly.

@viragomann They are all set to any already. that was my exact thinking get them up and then tighten them down once they were up.

I thought I'd do some further testing with earlier versions of CE, specifically 2.6.0. I'm happy to report that 0.0.0.0/0 works identically to 2.7.2. That version was released in the beginning of 2022..