Try to create two phase 1 entries each one with a single phase 2. I know that the public end-point IPs are going to be the same in either system but the latest version of pfSense looks like does not bother about that. I had to split a multi-phase2 VPN connection just to be able to communicate two nets in one side of the VPN with one in the other (same as you are trying to do) just because the config of one of them was not the standard (it was a cath-all). May be that mixing tagged (VLAN) and non-tagged taffic does not make good to the latest version too.

Hi Mat. You can set the firewall rule as you like. You do not need to use an 'allow any any'. In the IPSec tab you can write the rules you want. If you want that only service 53 pass thru between net a and net b your can write a rule that only allow traffic from a:53 (or whatever) to b:53. It is the same as any other firewall rule. Regards.

Hi Ian. The peer local network is the private network(s) behind the REMOTE crypto endpoint  (thus the use of 'peer' term). You build a VPN between two endpoints the local and the peer. May bee the use of peer is not fully correct (because you build the VPN link between two peers) but the sense is that I am refering here is to the remote side of the VPN. It usually include the internal IP where the pfSense belongs to but not necessarily and it can include other networks behind that of the pfSense itself (local networks that are further than the one of the pfSense). You do not need to limit the encryption domain to the pSense net. Your phase 2 cannot be as you describe because both belong to the same network: 10.0.100.11 is included in 10.0.100.0/24 network. If local net is 10.0.100.0/24 and remote net is 10.0.200.0/24 then you can build a VPN between them. If they are the same network you need to apply source NAT translation to one of the networks. pfSense does this via the NAT/BINAT translation field. Cheers.

i had to replace the certificate chain. Old CA Name: smplyCA CN=smply-ca New CA Name: firewall.mydomain.de CN: firewall.mydomain.de Old Server Cert: Issuer: smplyCA CN: firewall New Server Cert: Issuer: firewall.mydomain.de CN: firewall.mydomain.de Then i made a mobile config profile with Apple Configurator with both Certificates as a payload, remove the old profile, installed the new one, VPN works again.

Cool feature….

Start by adding the folloowing to your L2TP rules ipv4 UDP any destination port 1701 ipv4 destination local network subnet ipv4 not to local network subnet gateway WAN

IPsec does not add anything to routing table. Stop messing with routing tables. And of course with none of the  172.16.x.x networks configured in IPsec, this won't work. P.S. Instead of describing your setup in rather convoluted way, produce a network diagram.

It was removed because it was insecure. If the device on the other end is that old, it's likely doing them more harm than good as a firewall. If you search for the commit that removed DES support you could reverse the changes, but you'll have to look that up on your own.

I just thought I'd mention too that I'm not sure if it was the way that I performed the update that caused this, however, I was on the VPN connection when I performed the update.  Probably a bone-headed thing to do which I will definitely not repeat!  I also will not update without first: checking the release notes waiting for it to be around awhile to see if others have issues Not update without a full backup of the device ;D

Thanks Jon - I'll get them to confirm from their end and see if I can spot any misconfigurations. As a side note, it hasnt dropped since I posted this message, but there have been no configuration changes - so very strange :)

It seems that for IKEv2 I need to create a Server Certificate which needs to include the IP address of the server. Since my server has a dynamic public IP address, it seems that I cannot use IKEv2 after all. Is that right? Thanks, James

I was able to get it to work by doing the following (for any future readers). I have Windows 10 and wanted to use the built-in VPN for a number of reasons (VPN before logon, ease for users, etc) My pfSense mobile client is set up a EAP-RADIUS. I created a Powershell script: Add-VpnConnection -Name "VPN NAME" -ServerAddress xxx.xxx.xxx.xxx -AllUserConnection $true -SplitTunneling $true -AuthenticationMethod MSChapv2 -TunnelType Automatic -EncryptionLevel Required -PassThru Add-VpnConnectionRoute -ConnectionName "VPN NAME" -DestinationPrefix 10.20.1.0/24 Add-VpnConnectionRoute -ConnectionName "VPN NAME" -DestinationPrefix 192.168.1.0/24 You need to Add-VpnConnectionRoute for any of the subnets that you will access over the VPN.

I was actually able to get the issues resolved. Turns out for some odd reason, when I used Chrome it was saving the network settings, but not really saving them. I used Firefox and as soon as i re-saved the info, the tunnel came up and traffic was flowing.

You may have two addresses assigned to a single NIC interface (one public, one private) but this does not mean that you can route between them. In fact you will NOT be able to route between them. You need two interfaces to route or you need subinterfaces or VLANS (in a single interface configuration) where to assign the different IPs so that you can route traffic between them. Cheers.