Hello,

It was indeed this Firewall Rule.

Once I removed the Gateway part, traffic started hitting the IPSec tunnel.

Cheers for the help.

@gsmithe said in Disable old ciphers:

SHA1

Hey gsmithe,

i don't now your PCI scanner. Sometimes a scanner alerts at SHA1 too.
Check your Phase1/Phase2 config. If the configuration for DES/3DES is unchecked, this is not your problem.

Kind regards

Same issue here, 2.4.3-1

Many thanks!

The tunnel only work when the IP in the server is set manually but only in the 40.0/24 segment, dynamically don't work. The segment 41.0/24 does not send traffic to pfsense at all, even when the /23 is set up in Phase 2. Due to Policies and Prod enviroments working in another tunnels i can update the version.

During the problem, the Memory usage is about 6% of 8052MiB, the cpu usage is about 30%. In Idle mode the cpu usage is at 5-10% and the RAM at 6%.
We also have a second system (same hardware) with 24 tunnels, applying changes there take just a second.

@marcos-lang Could you please provide screenshots from your configuration and the ipsec status pages? Especially from SAD/SPD etc?

The use of public IP in NAT (I believe not)? > This should work without problems.

The difference in size of Local "real" and NAT'ed networks? > If you want to NAT your Local Network into a single ip you have to choose NAT/BINAT Type "Address" and NOT Network/32.

Should I use /24 on NAT'ed networks and create a 1:1 relation on both ends? > No

Should I create a VIP with the NAT'ed IP of Local Subnet (172.140.50.2/32)? > No

Should I create a static route for the NAT'ed IP of Remote Subnet (172.140.60.2/32)? > No. Routing is ignored for IPSec

Seems very close. All of mine show RUNNING though. Make sure you have followed the proper procedure to not only create the tunnel but to assign it for use.

https://www.netgate.com/docs/pfsense/vpn/ipsec/ipsec-routed.html

Specifically:

found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode

If my P1 entry is doing Aggressive with PSK for the "My IP address" and "Peer IP address" and it matches my proposals for hash and encryption...why can't it recognize my PSK?

For anyone running into this problem, after much digging I found this is actually a problem with Rogers cellular service. You need to call Rogers in the interim and have them blacklist your IMEI from using IPv6. They are working on a more permanent fix...I opened a ticket and am currently waiting for them to blacklist mine but details are at this Rogers community thread.

http://communityforums.rogers.com/t5/Network-Coverage/Issues-with-IKEv2-IPSec-VPN-on-Rogers-LTE-3G/td-p/419136/page/8

D

I have found in the documentation that I should use "Any" rather than "any".

Every step needs P2 entries for every possible combination of traffic.

On both sides of the tunnel from 1<->2, it needs P2s for 1-2 and 1-3. On both sides of the tunnel from 2<->3, it needs P2s for 2-3 and 1-3.

Expanded a bit:

Site 1 tunnel 1<->2 has P2s:

Local 1 / Remote 2 Local 1 / Remote 3

Site 2 tunnel 2<->1 has P2s:

Local 2 / Remote 1 Local 3 / Remote 1

Site 2 tunnel 2<->3 has P2s:

Local 2 / Remote 3 Local 1 / Remote 3

Site 3 tunnel 3<->2 has P2s:

Local 3 / Remote 2 Local 3 / Remote 1

Thanks for the info!

I am wanting to setup remote logging to a device on the VPN network.
I'll check out the link :)