What do you mean NAT?

Based on this:

access-list acl-vpn-NJB permit ip host 172.17.0.254 172.17.7.0 0.0.0.255
access-list acl-vpn-NJB permit ip host 172.17.0.4 172.17.7.0 0.0.0.255
access-list acl-vpn-NJB permit ip host 172.17.0.51 172.17.7.0 0.0.0.255

You would make three phase 2 tunnel entries:

Local Network: Network: 172.17.7.0 /24
Remote Network: Address: 172.17.0.254

Local Network: Network: 172.17.7.0 /24
Remote Network: Address: 172.17.0.4

Local Network: Network: 172.17.7.0 /24
Remote Network: Address: 172.17.0.51

Ok I think I found a solutions. Somehow my HTTP(s) got dropped when using SHA512/AES256 to the Mikrotik box. When I use SHA1 and AES128 http(s) requests works fine and I am able to access the webconfigurator. Spend a lot of time finding this out, because only http(s) connections got dropped somehow.

In Status > Interfaces you will see the second interface. That is the internal interface (lan). It does not matter what the interface description is.

Not quite an answer to your question, but I'm watching this thread with curiosity.

First of all, if you want to use AES you should activate it (in pfSense Advanced-Misc-Cryptographic hardware)

My very limited experience with AES-NI (I just installed the proper hardware 2 days ago and am still running tests) is that with AES crypto active and using AES-GCM128 it doesn't actually push a lot more data thorough, but it does let the CPU breath for other stuff.

In other words, before I had AES-NI the router became unresponsive during large transfers, but  in the end the transfer went through through sheer CPU-power. Right now, with AES-NI, the transfer is slower (even with a much faster CPU!!!) but the router stays 100% responsive to everything (SNNP, run of the mill routing, etc) - the CPU actually hovers at 3% usage during transfer, as reported by the pfSense dashboard. It used to hit 90%+ on the older non-AES-NI hardware.

I have no idea if this is what to expect (and if so, it's disappointing, I wanted faster transfer). I don't want to hijack your thread but additional hints and tips would be welcomed and would probably help you too.

You'll either need to add a rule for ICMP or change the top protocol to any if you want pings to work as per Derelicts post.

Status -> System Logs -> Firewall -> Normal View if you click on the + it will add a rule if your not sure.

Same question here again. Is there a definitive "No, it doesn't work" yet?

I have a question…do you mean OPENVPN or IPSEC on a LAN gateway so like two different subnets?

For example:

172.16.0.1/24

192.168.0.1/24

...?  Tell us more about your config.

Just to provide some more detailed information.

After the VPN is connected as described, both from the pfSense server console and from any client in the LAN 10.0.0.0/24 I can access the Internet, being able to ping both the Zywall interface to which the pfSense WAN belongs (192.168.0.254) and any other site, such as google.it.

But when I try to ping one IP of the remote VPN side (172.16.16.122 for example), this does not work.

I managed to have this ping to the remove VPN client working only from within the pfSense console, after changing the "Local Network" settings in the IKE Phase 2 configuration, from "Local subnet" to "Network" with address "0.0.0.0/0".

It looks like there are still some kind of firewall issues preventing an IP in the subnet 10.0.0.0/24 to properly communicate throught he VPN.
I've already firewall rules completely open for WAN, LAN and IPSec. I've also noticed that there is an Automatic Outbound NAT generated, from the LAN subnet to the WAN IP of the pfSense (192.168.0.51).

What am I missing to have client-to-client VPN communication in place? Maybe some kind of port forwarding from the WAN to the LAN, for the IPSec ports?

If you use IP Alias type (probably what you want) you should use the interface subnet.

If you use CARP type (not sure why you would) you should use the interface subnet.

You cannot use Proxy ARP or Other because you cannot bind services on the firewall (like IPsec) to them.

I managed to solve my problem by removing the routes that were added:
route del 192.168.190.113
route del 192.168.190.116

Then I did:
route add 192.168.190.113/32 -iface vtnet3
route add 192.168.190.116/32 -iface vtnet3

Is there any way I can do this through the webpanel?

I tried setting the mtu to 1400 on the LAN interface but this had no effect on the ssh connection.

I also set the MSS within the IPSEC settings to 1360 but again it didn't help. I never tried the WAN interface.

I have now set the MTU to 1400 on the target servers and this has worked however I would still prefer to find a solution that effects only the tunnel traffic.

I snipped some screenshots.

First, the tunnels on my home box

main office

branch office

See anything obvious? Feel free to shame me mercilessly :-)

I will keep that in mind as a possible bug for future builds when I am looking for issues.

VPN performance is my number one most important thing.

I second that. Even if you specify DNS Servers in MOBILE settings, they do not get added in ipsec.conf.

RIGHTDNS got implemented in Strongswan 5.0.1.

How can I add this variable to ipsec.conf?

Today it flaked out AGAIN and I had to reboot the 24.247.x.x firewall.  The Internet works, 0% latency, everything looks great BUT the IPSEC tunnel crashes and won't come up UNTIL something is rebooted.  I can restart IPSEC services until I'm blue in the face and I've got nothing UNTIL the dumb thing is rebooted.

Good thing I didn't have to reboot the other router because that's the one with multiple sites connected to it.  The 24.247.x.x is the remote site.

Anyone else experiencing these issues?  We didn't have these issues on the 2.3.x versions of PFSense!  These are PFSense boxes from PFSense too, the rack mounts.

Fixed by adding mydomain.com to the "DNS Suffix for this connection" option in the VPN adapter on Windows