LOL Pfsense does funny things.

LOL, I dont know what it was, but I recreated it and connected just fine. I can browse the internet and access remote local data. Perfect. It's knocking out a VPN, gotta see why this is happening.

I just tried this, not working lol :(

I have a sophos utm VM in my lab. IPsec between it and pfSense work fine.

I'm now able to create a tunnel between my PFSense, Macs and Iphone with IOS 10.

Thanks to https://blog.andregasser.net/en/how-to-configure-ipsec-vpn-on-pfsense-for-use-with-iphone-ipad-android-windows-and-linux/

I'm still not able to access the nework behind the firewall. If I cannot find any answer with the search engin, I'm going to create a new subject.

Hi,

thx for this reply. Unfortunately à changed the lifetime P1 et P2 to the values you suggested, but I've the same message.

The Auto Update is in process. Let see …

Ok, but I seem to not be able to have QuaggaOSPF and OpenBGP installed, and I am not able to tear down our OpenBGP configuration and move to Quagga without taking serious down time.

Not sure why but the config change was never picked up even after restarting the service.

Rebooted the firewall and it's now sending the clients the right subnet so probably something is cached and not reloaded on restart.

Did you ever find a solution for this problem? I face the exact same problem and tried pretty much every single approach described here and none worked  :(

Yes, that works fine, provided you setup all of the appropriate Phase 2 entries in IPsec and routes in OpenVPN.

For example, your IPsec tunnels would need to have phase 2 entries such as:

Site A<->B: P2 for A-B, OpenVPN-B
Site A<->C: P2 for A-C, OpenVPN-C
OpenVPN: Local network set for A, B, and C

And if you want B and C to reach each other through A, you'll need additional P2 entries to cover B-C / C-B on the appropriate tunnels and in the proper direction.

Ah.. Yeah that is a problem…

Thank you for the suggestion.
IKEv2 from what I'm reading involves shipping certs to your users and installing them. (correct me if I'm wrong on this)
And for that reason, If I go with IKEv2, I may as well go with OpenVPN.

Regards.

Hi,

With IPsec the easiest solution is filter by port in transport mode. A Linux host with Strongswan or Libreswan supports it. However I think the Pfsense GUI doesn't support that setting yet (I would need it also).
So you could create a GRE tunnel over an IPsec tunnel and forward that port to/from the GRE tunnel interface. For example with a rule in your LAN which that remote port would translated (NAT) to the GRE tunnel IP.