• IPSEC or another technic

    1
    0 Votes
    1 Posts
    381 Views
    No one has replied
  • Tunnel is connected, but SMTP connections die.

    1
    0 Votes
    1 Posts
    445 Views
    No one has replied
  • 0 Votes
    1 Posts
    403 Views
    No one has replied
  • OSPF over IPsec without GRE

    6
    0 Votes
    6 Posts
    3k Views
    J

    Sweet thanks Jimp I am sure I speak for a few people that we look forward to this support and appreciate the efforts of yourself and your team.

  • Anything similar to Juniper's st interface?

    15
    0 Votes
    15 Posts
    4k Views
    jimpJ

    Support for routed IPsec/VTI is in 2.4.4 snapshots. It's still being tested but it's fairly solid at the moment with no major caveats that I'm aware of.

    https://redmine.pfsense.org/issues/8544

  • 0 Votes
    3 Posts
    790 Views
    M

    @jimp Thank you very much for the response! Looking forward to v2.4.4 being released :)

  • IPSEC identifier set to Distinguished name but it uses ANY

    1
    0 Votes
    1 Posts
    334 Views
    No one has replied
  • IPsec blocked In Egypt

    2
    0 Votes
    2 Posts
    837 Views
    DerelictD

    Short of moving out of Egypt, probably not.

  • Issues with AWS IPSec when accessing from UAE

    1
    0 Votes
    1 Posts
    359 Views
    No one has replied
  • ipsec.conf not updating

    5
    0 Votes
    5 Posts
    724 Views
    F

    Thank you! deleting P1/P2 and recreating them works now.

  • 0 Votes
    3 Posts
    1k Views
    L

    Thx - I just registered with redmine and posted a new bug report ticket:

    https://redmine.pfsense.org/issues/8549

  • Having issues with Azure IPSec Connection

    3
    0 Votes
    3 Posts
    1k Views
    DerelictD

    @livestrong2109 said in Having issues with Azure IPSec Connection:

    Jun 1 05:08:08 charon 14[CFG] <7> received proposals: ⬅ The other side
    IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
    IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
    IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
    IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
    IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
    IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
    Jun 1 05:08:08 charon 14[CFG] <7> configured proposals: ⬅ Your side
    IKE:AES_GCM_16_256/PRF_HMAC_SHA1/MODP_1024
    Jun 1 05:08:08 charon 14[IKE] <7> received proposals inacceptable

    You are forcing AES GCM in the Phase 1 and the other side wants AES CBC (or 3DES).

    Based on what the other side is presenting I would probably select AES 256 and SHA256.

    0_1528272343163_Screen Shot 2018-06-06 at 1.04.44 AM.png

    Jun 1 05:08:08 charon 14[CFG] <7> no acceptable ENCRYPTION_ALGORITHM found
    Jun 1 05:08:08 charon 14[CFG] <7> selecting proposal:
    Jun 1 05:08:08 charon 14[CFG] <7> no acceptable ENCRYPTION_ALGORITHM found
    Jun 1 05:08:08 charon 14[CFG] <7> selecting proposal:
    Jun 1 05:08:08 charon 14[CFG] <7> no acceptable ENCRYPTION_ALGORITHM found
    Jun 1 05:08:08 charon 14[CFG] <7> selecting proposal:
    Jun 1 05:08:08 charon 14[CFG] <7> no acceptable ENCRYPTION_ALGORITHM found
    Jun 1 05:08:08 charon 14[CFG] <7> selecting proposal:
    Jun 1 05:08:08 charon 14[CFG] <7> no acceptable ENCRYPTION_ALGORITHM found
    Jun 1 05:08:08 charon 14[CFG] <7> selecting proposal:
    Jun 1 05:08:08 charon 14[CFG] <7> no acceptable ENCRYPTION_ALGORITHM found

    All of that is probably Azure attempting PFS groups you don't have defined. Probably more secure than PFS group 2.

  • how to disable nat-t for ipsec?

    2
    0 Votes
    2 Posts
    2k Views
    DerelictD

    You can't disable it if NAT is anywhere in what would be the ESP path.

    There are automatic rules for IPsec tunnels as most people who define an IPsec tunnel want IKE, ESP, and NAT-T to pass between the endpoints.

    You can disable these rules in System > Advanced, Firewall & NAT, Disable Auto-added VPN rules

  • 0 Votes
    2 Posts
    700 Views
    S

    An update:

    Changing the Shrewsoft setting on the Authentication tab for "Local Identity" from "Key Identifier" (which worked for the last several years) to UFQDN (using the same string) fixed the issue for me. I consider myself lucky to have found this, but maybe it makes sense to others.

    Thanks to anybody who gave this some thought. :-)

    SJ

  • L2TP/IPSEC VPN from multiple NAT IPs

    1
    0 Votes
    1 Posts
    324 Views
    No one has replied
  • 2.3.5 and 2.1.5 IPSec tunnel

    1
    0 Votes
    1 Posts
    296 Views
    No one has replied
  • VTI support eventually?

    6
    0 Votes
    6 Posts
    874 Views
    J

    @awebster thanks.

    As noted, it’s coming to 2.4.4.

  • 0 Votes
    12 Posts
    6k Views
    jimpJ

    FYI- We are making progress on IPsec VTI which will let this work. It should be in snapshots in the next week or so.

  • Pfsense and ftp on vpn in IPSEC

    1
    0 Votes
    1 Posts
    386 Views
    No one has replied
  • IPSec tunnel is up, but can not ping the remote site (network)

    1
    0 Votes
    1 Posts
    406 Views
    No one has replied
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.