"How to configure an L2TP/IPsec server behind a NAT-T" MS KB did not work for us. Running 2.2.4-RELEASE (i386). Not planning the upgrade yet. We're unable to forward L2TP traffic to the server behind NAT. We're seeing traffic coming on port 4500, VPN connection is estabilished, however there is no routed traffic. All NPS polices seems to be fine. No firewall rules blocking. No ACLs blocking. We're not seeing anything behind this server. Forwarded traffic: TCP/UDP 1701 WAN -> server TCP/UDP 500 WAN -> server TCP/UDP 4500 WAN -> server AH protocol WAN -> server ESP protocol WAN -> server Issue seems to be covering this thread. Next step is to sniff some traffic and check what is going on. Any ideas?

I think I solved it by myself. My solution: IPsec Transport mode between Site A and Site B GRE Tunnel over the ipsec secured connection Custom Gateway with custom static routes.

@Daz22: Yes this is possible. VPN/IPSEC/MOBILE CLIENTS Enable IPSEC mobile client support User database Local database (selected) Save In your p1 entry you should now have the option under p1 proposal. Make sure when you create your users you go back in and add the XAUTH VPN User dial-in Hopes this helps! That's the wrong direction. That sets up an Xauth server. OP wants pfSense to act as an Xauth client to a remote server.

I wanted to see if I could get help doing the same idea but for my mobile clients. For example Current topology Network A 172.16.0.0/24 Network B 10.0.0.0/24 Network C 20.0.0.0/24 I want to grant specific clients access to the specific networks via IPSEC Client A P2 Network 0.0.0.0/0 Default route access to all networks Client B P2 Network 10.0.0.0/24 Access to Lab A network Client C P2 Network 20.0.0.0/24 Access to Lab B network

I have working IPSEC configuration between pfsense and palo alto How can i help you?

@hugh_jarse, thank you very much for this detailed post. I'll need some time now to work through it :P

When you imported the certificate, did you also import the key?

I have many S2S between pfSense & ASA. Posting your configuration for both will help. To get the ipsec configuration from pfsense run: cat /var/etc/ipsec/ipsec.conf In the ASA, look for it in your running config.

This is solved. Turns out I didn't check "disable rekey" under the advanced config on the Phase 1 settings in pfsense.

It can be done but with a couple of caveats, the main problem is that you have to pretty much turn off the firewall over the tunnels (!!!) due to #4479 Also, strongSwan cannot currently establish 2 tunnels to the same destination IP from different interfaces (because the gateway selection is based on hidden static routes). To overcome this you can do the other way around, first GRE and then encrypt the tunnels (IPsec-over-GRE) or even set up another tunnel inside the other one. Finally, you can use OSPF to handle the failover but beware there is a long going unresolved issue with Quagga in which some routes are incorrectly marked as kernel routes and never cleared on restart, rendering the configuration useless. You may have better luck with frr. Two more points, remember to tweak MSS clamping appropriately to avoid performance issues, and also you can use GIF instead of GRE to save on some bytes. You can also achieve all the same thing with OpenVPN + OSPF by the way.

Update - you were absolutely right! Switching DH groups fixed it. Wish I had spotted that, thank you!

At this point I've been having a conversation with myself on this topic but I'm determined to provide some valuable information to someone who will inevitably come across the same dilemma that I have. So the past few nights I've been doing a lot of reading.  WAN Accelerators, alternate protocols etc.  Tonight I came across an article about transferring data across ipsec tunnels.  One of the items the author mentioned was different speeds using different protocols.  One of the protocols was http.  Hmm.  My NAS at home has a http front end and I remembered that it did some form of file transfer.  I gave it a shot, uploading a 17.7 gig rar archive in 3 minutes and 11 seconds.  Here's the tail end of the transfer:  As you can see, it achieved full line rate 100+ MBps [image: http_zpsqd9natel.jpg] I see there are a number of windows programs out there allowing for http transfer.  Hopefully I can find a command line version or better yet some that might actually map a drive or at least allow me to send files to my NAS.  That would be super.  This could be just what I'm looking for to finally saturate my ipsec vpn for file transfer.  Sure beats a four thousand dollar WAN Accelerator. Roveer

perhaps using captive portal somehow?  the tunnels can be automatic but no use of devices on any of the ports without portal authentication?  I've never used captive portal before… I'll have to go read up on it.