• IPSec issues on 24.03 - sessions dropping

    Moved
    20
    0 Votes
    20 Posts
    2k Views
    stephenw10S

    If you need to create connections across the tunnel in both directions you need a floating outbound rule with floating state binding set to allow the replies. It's shown in the doc there now.
    https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#interface-bound-states

    So you might only add one floating rule and edit the existing IPSec rule. Two rules are needed if none existed.

  • AWS --> PfSense IPsec v1

    3
    0 Votes
    3 Posts
    300 Views
    D

    @Konstanti

    My goal is to use this as my main gateway to the internet for a routable /24 (23.170.184.0) IP block and IPv6. I just have a simple test interface for now, to just get the link up (or so I thought). I use 8.8.8.8 for ping, as I don't have an EC2 to ping.

    Logs attached from AWS: aws-log.txt

    Screenshot 2024-04-26 at 16.10.05.png

  • 3100 24.03 IPSec Issues - Dynamic DNS Remote Hosts

    1
    0 Votes
    1 Posts
    172 Views
    No one has replied
  • Is there a subnet limitation on different IPSec tunnels?

    2
    0 Votes
    2 Posts
    298 Views
    jimpJ

    Subnets wouldn't matter for that. The auth it's mentioning would be entirely in Phase 1, not Phase 2. The remote end is saying authentication failed so you will need to check the logs on the remote side (if possible) for any more detail about why it failed.

    In most cases it's down to something in Phase 1 either being mismatched or incorrect in some way (e.g. a config that could technically match multiple remote peers ends up matching both remotes)

  • OpenVPN interface to IPSEC with Phase2 NAT/BINAT Routing Help

    3
    0 Votes
    3 Posts
    323 Views
    E

    @viragomann Thanx! You made me look at the "local networks" setting in the OpenVPN configuration and I had the subnet mask incorrect for the OPT4 interface /24 instead of /28 . So now connecting via OpenVPN I have access to IPSEC Interface machines with ip addresses of .97 to .110. I have two Phase2 objects on the IPSEC tunnel for two different subnet machines and they have been working fine being accessed from the 10.22.143.96/28 subnet. No changes there or additions. Data is flowing.

  • IPSEC Site-to-Site, ping always works, tcp on random days

    5
    0 Votes
    5 Posts
    406 Views
    S

    Gave up trying to troubleshoot this, took out the branch office pfsense, and connected the same VPN direct from the 4G/5G router. Worked instantly...

  • Dual WAN IPSEC mobile client

    2
    2 Votes
    2 Posts
    352 Views
    D

    @Piter-0 Hello! I have the same problem! If WAN 1 fails, I still can't connect to WAN 2! If I deactivate ipsec for a short time and then activate it again, it works over WAN 2 until next time!

  • UTILIZANDO IPSEC COM IPS ESPECÍFICOS

    1
    0 Votes
    1 Posts
    161 Views
    No one has replied
  • Alias in the local network field Phase 2

    2
    0 Votes
    2 Posts
    219 Views
    V

    @frog
    Not that I know. But if your subnets are successive you can state a larger subnet, which includes all or multiple at least.

    E.g. your subnets are
    10.66.20.0/24
    10.66.21.0/24
    ...
    10.66.29.0/24
    10.66.30.0/24

    So set you local network to 10.66.25.0/20, which includes 10.66.16.0 - 10.66.31.255.

    However, you will also have to configure the remote site accordingly.

  • ESP sometimes using WAN interface alias IP instead of WAN interface IP

    3
    0 Votes
    3 Posts
    405 Views
    J

    Ok, I believe I've found the root cause and it was a misconfiguration.

    I have "Manual Outbound NAT" configured. This is to use a 4 address pool instead of the firewall's WAN address for NAT.

    So even though there was an wildcard "Auto Created Rule" for TCP port 500 (ISAKMP) using the WAN address, there wasn't a rule for the ESP protocol. I added a wildcard rule for ESP that used the WAN address last night, and haven't had any issues since.

    In retrospect, this makes sense, since each time I lost connection, the source address was one of the addresses in the pool. What doesn't make sense to me is that it ever used the WAN IP address. Like so many things, it would have been a lot easier to diagnose than a connection that always failed than one that sometimes worked.

    I think an argument could be made that if pfsense is going to add an Auto Created Outbound NAT rule for ISAKMP, it should probably create an Auto Created rule for ESP at the same time.

  • VPN: IPsec: Mobile Groups 24.03-RC

    4
    0 Votes
    4 Posts
    364 Views
    J

    @keyser That worked perfectly! Thank you guys!

  • connect pfsense with mikrotik using l2tp

    1
    0 Votes
    1 Posts
    170 Views
    No one has replied
  • Two IPSEC Tunnels to the same remote gateway

    1
    0 Votes
    1 Posts
    185 Views
    No one has replied
  • A valid remote gateway address or host name must be specified

    2
    0 Votes
    2 Posts
    257 Views
    V

    @CodingCharlie said in A valid remote gateway address or host name must be specified:

    Am trying to setup an IPSec VPN but get this error. I am putting in a remote gateway address so am confused. Is this a bug?

    Pretty many people here did this. So why should there be a bug?
    How did you configure the phase 1 exactly?

  • Windows 10 IPSec client connection problem

    6
    0 Votes
    6 Posts
    945 Views
    lifeboyL

    To answer my own question:

    https://forum.netgate.com/topic/148452/virtual-address-pool-in-pre-shared-keys-is-not-used-for-ipsec/9

  • 0 Votes
    4 Posts
    816 Views
    G

    @theshao in my case, maybe is also more complex: I'm simulating my tunnel future need, running one pfsense in an hypervisor, and the other one on a VM hosted on Azure. So a lot of things that maybe I haven't considered, like the NAT of my internet provider. I'll give a shot reproducing the setup with physical devices.

  • IPsec only connect in default gateway

    3
    0 Votes
    3 Posts
    428 Views
    P

    @viragomann It is set for the firewall to configure the rules automatically.

    Both links connect, as long as it is set as the default gateway.

    I have two gateway groups, where each link is primary and the other secondary and vice versa.

    At the other end I configured the connection via DDNS.

  • IPsec tunnel established but hosts cannot ping each other

    14
    0 Votes
    14 Posts
    2k Views
    F

    @fcostars Resolvido!
    Estava clonando configuração ipsec para não digitar tudo novamente e dessa forma o firewall se perde!

    Segue a dica! Nunca clone uma regra e sim reescreva novamente!

  • There is a bug in IPSEC Configuration?

    1
    0 Votes
    1 Posts
    269 Views
    No one has replied
  • Help Me Better Understand MSS Clamping

    5
    0 Votes
    5 Posts
    2k Views
    planedropP

    @viragomann OK this is great news, thanks for testing this, I hadn't had a chance to do that yet, helps a ton!

    I figured it wouldn't interrupt anything, or at least not for long at all, but incredibly nice to confirm it.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.