@Derelict:

I don't know what "Office" is. What is the IPsec tunnel network or the remote networks?

What is the Local LAN subnet?

Hi
Remote office network is 192.168.10.0/24
Local LAN is 192.168.25.0/24

I only want a couple of devices to have access via the VPN and be reachable from the VPN. These have been specified in the Office all

Thanks

The both have to NAT if they also need to communicate with each other, btw.

@Derelict:

Split tunneling is more to do with the client settings than the server.

For instance in windows 10 I'm pretty sure you need to manually set that in powershell. At least in some versions.

Sorry, no android here to test, and it too probably varies version-to-version.

I had a feeling it may not be possible, i have just set up the internet to route through my VPN again (and tidied up my firewall rules a lot)

Thanks for the help both of you :)

"How to configure an L2TP/IPsec server behind a NAT-T" MS KB did not work for us.
Running 2.2.4-RELEASE (i386). Not planning the upgrade yet.
We're unable to forward L2TP traffic to the server behind NAT.

We're seeing traffic coming on port 4500, VPN connection is estabilished, however there is no routed traffic. All NPS polices seems to be fine. No firewall rules blocking. No ACLs blocking.
We're not seeing anything behind this server.

Forwarded traffic:
TCP/UDP 1701 WAN -> server
TCP/UDP 500 WAN -> server
TCP/UDP 4500 WAN -> server
AH protocol WAN -> server
ESP protocol WAN -> server

Issue seems to be covering this thread.

Next step is to sniff some traffic and check what is going on.
Any ideas?

I think I solved it by myself.

My solution:

IPsec Transport mode between Site A and Site B
GRE Tunnel over the ipsec secured connection
Custom Gateway with custom static routes.

@Daz22:

Yes this is possible.

VPN/IPSEC/MOBILE CLIENTS
Enable IPSEC mobile client support

User database
Local database (selected)

Save

In your p1 entry you should now have the option under p1 proposal.

Make sure when you create your users you go back in and add the XAUTH VPN User dial-in

Hopes this helps!

That's the wrong direction. That sets up an Xauth server. OP wants pfSense to act as an Xauth client to a remote server.

I wanted to see if I could get help doing the same idea but for my mobile clients. For example

Current topology

Network A 172.16.0.0/24
Network B 10.0.0.0/24
Network C 20.0.0.0/24

I want to grant specific clients access to the specific networks via IPSEC

Client A P2 Network 0.0.0.0/0 Default route access to all networks
Client B P2 Network 10.0.0.0/24 Access to Lab A network
Client C P2 Network 20.0.0.0/24 Access to Lab B network

I have working IPSEC configuration between pfsense and palo alto

How can i help you?

@hugh_jarse,
thank you very much for this detailed post. I'll need some time now to work through it :P

When you imported the certificate, did you also import the key?