Yeah, OpenVPN did the trick for me. Thanks for the reply.

That other thread is a year old, and the OP never replied back. Doesn't sound like a bug. As for this thread, you need to NAT BOTH sides of the tunnel? You are using the phase2 NAT/BINAT at site A and a custom rule on side B? I can't figure out if your bbbb and dddd are addresses or subnets and I'm unclear what you mean by saying dddd is 'public'.

Registered to reply to you. I currently have a pfSense VM running in a cloud environment that I use to connect back to 20+ locations that are all on Cisco Meraki MX series devices. Do you have static IP's on both ends? I have static IPs at most all locations. The sites that don't have a static ip address we refer to from pfsense by their dynamic DNS address provided by Merkai. Haven't had any issues with the VPN re-connecting after a power outage. [image: WSVO7L5.png]

Not sure what you are asking. If the devices have different IPs within the same subnet, that's no problem. If you want to remove the Cisco and have the pfSense answer on the Cisco's IPs, then add them as virtual ips. Normally, I'd program the new firewall with the old firewalls IPs, shut down the old one and power up the new one.

VLAN is L2, not possible. You'd need something like VXLAN, but that's a completely other level.

Not possible. Make more of 'em P2s :)

Please is possible explain or put your config??  i problems with my IPhone 7. Thx

That cannot be directly achieved with anything. Something must distinguish the remote networks. You can't solve that conflict locally. In this case, if your side has the overlap, one or both of the remote sides must perform NAT to mask the true subnet so that your side does not have a conflict. If you have pfSense on both sides, this is easily achieved with IPsec (Phase 2 NAT) or OpenVPN (1:1 NAT or outbound NAT). If the remote ends are out of your control, then you can't solve the problem with a single unit. You'd have to have two separate firewalls, one for each tunnel, and perform NAT on one or both before the traffic exits to the local network.

@Derelict: Yup. Looks like a bug in Apple's implementation. Interestingly, it does not occur if you use a profile to configure the IPsec connection. The factory versions of pfSense have a profile exporter package or you can use the Profile Manager in OS X Server (macOS Server). There is a bug open with Apple. No feedback on it in a few weeks. This also occurred 10.11.X. Sorry to hear it is still present in 10.12.X. I haven't had time to test it yet. I tried the ipsec-profile-wizard and it didn't like the import I'm getting "The 'VPN Service' payload could not be installed. The VPN service could not be created." If I install my certs by hand and setup the vpn connection IKEv2 works fine, no disconnects on my iPhone or iPad away from home. My IPsec config :- <ipsec><client><enable></enable> <user_source>Local Database</user_source> <group_source>none</group_source> <pool_address>172.16.9.0</pool_address> <pool_netbits>24</pool_netbits> <dns_domain>XXXX XXXX.net</dns_domain> <dns_server1>172.16.1.1</dns_server1></client> <logging><dmn>1</dmn> <mgr>1</mgr> <ike>1</ike> <chd>1</chd> <job>1</job> <cfg>1</cfg> <knl>1</knl> <net>1</net> <asn>1</asn> <enc>1</enc> <imc>1</imc> <imv>1</imv> <pts>1</pts> <tls>1</tls> <esp>1</esp> <lib>1</lib></logging> <uniqueids>never</uniqueids> <phase1><ikeid>1</ikeid> <iketype>ikev2</iketype> <interface>wan</interface> <protocol>inet</protocol> <myid_type>fqdn</myid_type> <myid_data>vpn.xxxxxxxxxx.net</myid_data> <peerid_type>any</peerid_type> <peerid_data></peerid_data> <encryption-algorithm><name>aes</name> <keylen>256</keylen></encryption-algorithm> <hash-algorithm>sha256</hash-algorithm> <dhgroup>14</dhgroup> <lifetime>28800</lifetime> <pre-shared-key></pre-shared-key> <private-key></private-key> <certref>590e07927b298</certref> <caref></caref> <authentication_method>eap-mschapv2</authentication_method> <nat_traversal>on</nat_traversal> <mobike>on</mobike> <dpd_delay>10</dpd_delay> <dpd_maxfail>5</dpd_maxfail></phase1> <phase2><ikeid>1</ikeid> <uniqid>58ecc9de19c3f</uniqid> <mode>tunnel</mode> <reqid>1</reqid> <localid><type>network</type> <address>0.0.0.0</address> <netbits>0</netbits></localid> <protocol>esp</protocol> <encryption-algorithm-option><name>aes</name> <keylen>auto</keylen></encryption-algorithm-option> <hash-algorithm-option>hmac_sha256</hash-algorithm-option> <hash-algorithm-option>hmac_sha384</hash-algorithm-option> <hash-algorithm-option>hmac_sha512</hash-algorithm-option> <pfsgroup>0</pfsgroup> <lifetime>3600</lifetime></phase2> <mobilekey><ident>xxxxxx</ident> <type>EAP</type> <pre-shared-key>xxxxxx</pre-shared-key></mobilekey></ipsec>

Once I managed to get it to work by using a "default route" as my local network. However it gave different results depending on different versions of OSX and in how the existing routes.. What I have read it looks like PfSense will not be able to accomplish what I want to do here so I'm currently looking at other options.

Are you saying you expect AWS to transit your office(s) internal "WAN" traffic thought AWS?

It's up to the client to decide what to send. There is no mechanism in that protocol to inform the clients what subnets are available. The client has to define that itself.

IPsec is designed to prevent exactly this. You cannot simply "route" throug an IPsec-Tunnel. It is possible to circumvent this with multiple phase2 configs on ALL endpoints (which assumes, that you are allowed to do what you are trying, which it does not sounds like), but if you have to ask here on how to do that, it is likely to blow up in your face one way or the other. TL;DR: "Don't."

How and what do you ping? Do you ping via the gui of pfSense (Diagnostics->Ping) or do you use a computer behind the pfSenses? Do you ping the pfSense itself or a computer behind the pfSense? Do you see blocked packets in the firewall log (Status -> System Logs -> Firewall -> Normal View)? If yes, by what rule are the packets blocked? You can also use Diagnostics -> Packet Capture to see if icmp packets get in and out of both pfSenses