I have a question…do you mean OPENVPN or IPSEC on a LAN gateway so like two different subnets? For example: 172.16.0.1/24 192.168.0.1/24 ...?  Tell us more about your config.

Just to provide some more detailed information. After the VPN is connected as described, both from the pfSense server console and from any client in the LAN 10.0.0.0/24 I can access the Internet, being able to ping both the Zywall interface to which the pfSense WAN belongs (192.168.0.254) and any other site, such as google.it. But when I try to ping one IP of the remote VPN side (172.16.16.122 for example), this does not work. I managed to have this ping to the remove VPN client working only from within the pfSense console, after changing the "Local Network" settings in the IKE Phase 2 configuration, from "Local subnet" to "Network" with address "0.0.0.0/0". It looks like there are still some kind of firewall issues preventing an IP in the subnet 10.0.0.0/24 to properly communicate throught he VPN. I've already firewall rules completely open for WAN, LAN and IPSec. I've also noticed that there is an Automatic Outbound NAT generated, from the LAN subnet to the WAN IP of the pfSense (192.168.0.51). What am I missing to have client-to-client VPN communication in place? Maybe some kind of port forwarding from the WAN to the LAN, for the IPSec ports?

If you use IP Alias type (probably what you want) you should use the interface subnet. If you use CARP type (not sure why you would) you should use the interface subnet. You cannot use Proxy ARP or Other because you cannot bind services on the firewall (like IPsec) to them.

I managed to solve my problem by removing the routes that were added: route del 192.168.190.113 route del 192.168.190.116 Then I did: route add 192.168.190.113/32 -iface vtnet3 route add 192.168.190.116/32 -iface vtnet3 Is there any way I can do this through the webpanel?

I tried setting the mtu to 1400 on the LAN interface but this had no effect on the ssh connection. I also set the MSS within the IPSEC settings to 1360 but again it didn't help. I never tried the WAN interface. I have now set the MTU to 1400 on the target servers and this has worked however I would still prefer to find a solution that effects only the tunnel traffic.

I snipped some screenshots. First, the tunnels on my home box [image: home%20box.png?raw=1] main office [image: office.png?raw=1] branch office [image: branch.png?raw=1] See anything obvious? Feel free to shame me mercilessly :-)

I will keep that in mind as a possible bug for future builds when I am looking for issues. VPN performance is my number one most important thing.

I second that. Even if you specify DNS Servers in MOBILE settings, they do not get added in ipsec.conf. RIGHTDNS got implemented in Strongswan 5.0.1. How can I add this variable to ipsec.conf?

Today it flaked out AGAIN and I had to reboot the 24.247.x.x firewall.  The Internet works, 0% latency, everything looks great BUT the IPSEC tunnel crashes and won't come up UNTIL something is rebooted.  I can restart IPSEC services until I'm blue in the face and I've got nothing UNTIL the dumb thing is rebooted. Good thing I didn't have to reboot the other router because that's the one with multiple sites connected to it.  The 24.247.x.x is the remote site. Anyone else experiencing these issues?  We didn't have these issues on the 2.3.x versions of PFSense!  These are PFSense boxes from PFSense too, the rack mounts.

Fixed by adding mydomain.com to the "DNS Suffix for this connection" option in the VPN adapter on Windows

That doesn't look right either. SITE A - SITE B    P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.3.0/24 SITE A - SITE C    P2 Tunnel  LN - 10.0.2.0/24  RN - 10.0.3.0/24 Don't want the same traffic selector on SITE A to two different sites.

Is that a 100 MBps or 100 Mbps?