@rcoleman-netgate 2.png

@JustSumDad no need to mask RFC1918 addresss.

Ping is NOT a TCP/UDP action. It's ICMP. That's why they aren't passing.

@viragomann

It's working fine with leaving the Remote IKE port field blank.
Now the Server A is using the custom NAT-T port as intended.

Thanks for your help.

@viragomann I don't know when or why I set that, but I removed it and that appears to have resolved the issue.

Thank you!!! I don't think I'd have ever figured this out on my own.

LAN gateway2.png

@thomaspsimon said in IPSec with dual WAN:

@NOCling said in IPSec with dual WAN:

Do you have try enable the Mobike Option on both sitets?

tried, but no luck.

The issue here is Local Host is not changing from the failed WAN IP to the failover WAN IP automatically, without that it will not happen, if i am not wrong. Please see the screenshot.

Branch IPSec.JPG

it seems the link https://redmine.pfsense.org/issues/13076 talks about the same issue and an edit to rc.ipsec file fixes the issue.

But didn't get how to make that edit.

@iulianteodor
Lots of variables. You're going to need to add some more details. Policy based or routed? What's the other endpoint? Any NAT involved, etc...

@jimp said in 2 Clients Connecting from Same Public IP Fail:

Do you have hybrid or manual outbound NAT rules that setup static source port for 4500? That shouldn't be necessary and may be interfering with the clients.

NAT-T works fine with a randomized source port, so having outbound NAT preserve a static source port could break it for multiple clients.

I do not, but I suspect the provider at our DC does?

Reading up on it, it sounds like they’ve turned on some kind of IPSec pass through / helper feature on their side…which is not helpful!

@TheWaterbug

You'll need a few things, might seem like a lot but it's actually quite easy with the pfSense ipsec wizard!

Setup your VPN settings in pfSense for IPsec tunnel to use EAP TLS I.e. this is using a CA that you setup, a Cert for the IPsec Server, and a cert for each client. Download the config with the pfSense package "ipsec-profile-wizard" Test this config works by now loading that .mobileconfig onto your phone.

https://www.derman.com/blogs/iOS-IPSec-VPN-OnDemand-Setup

Section 3 there "3. Import the IPSec VPN configuration profile onto the iPhone" provides instructions for apple configurator, or just emailing it to yourself.

Once you've got the above working nicely, you know you have a secure VPN with cert based auth and you can add in the few line that I posted above to the .mobileconfig file, and then upload that to the phone in question.

N.B.

You MIGHT have to "Supervise" your iphone for this to work...
For "Always On VPN" you 100% need it supervised, but I THINK that with "On Demand VPN" you don't have to.

https://www.miradore.com/knowledge/ios/enable-supervised-mode-on-ios-device-using-apple-configurator/

That should get you started.

@stbellcom said in IPSec preformance:

Hello,

I currently have two Netgate 6100 setup in the lab connected to each other via 2.5gb/s and then running a IPSec VTI tunnel over this connection.

On each end I also have two pc's with 2.5gb/s running Iperf3 for testing.

About the best speed I can get is around 1.01 Gbits/sec though the Netgate spec says it should be around 1.8 Gbits/sec for the 6100

I have tried the recommended settings from this page:

https://docs.netgate.com/pfsense/en/latest/vpn/performance.html#optimal-encryption-settings

And a bunch of lesser secure with QAT | AES-NI enabled/disabled without much change.

Is it realistic to be getting 1.8 Gbits/sec in a lab setup and does anyone have recomendations on which encryption cipher to use to get raw speed though the VPN ?

Thanks

Can you get the 1.8 Gbps with just NAT?

i.e. get rid of the IPSEC tunnel, port forward iperf ports and just santiy check that the bandwidth is good for that?

Would be a good step to test to ensure the path is setup correctly for over gigabit speeds.

@TheWaterbug said in Mobile IPSec VPN On Demand from iOS/macOS?:

This may be more of an iOS question than a pfsense/IPSec question, but is there a known way to have an iOS/macOS device automatically connect to my pfsense 2.60CE IPSec endpoint, but only when attempting to connect to specific IP addresses inside that LAN?

For example I currently have my security camera system port forwarded in from ACMERocketCars.dyndns.org:80 to 192.168.50.3:80. That's on a separate subnet, firewall off from all my critical infrastructure, but it still seems a bit scary to have a machine widely exposed on the internet.

I already have a mobile IPSec tunnel set up that works from both my macOS devices and my iOS devices, but I have to "dial" it manually every time, which is inconvenient any time I want to just quickly check a camera.

Is there a recipe for creating a configuration file that I can load on my macOS and iOS that auto-dials my VPN connection if I attempt to access 192.168.50.3:80, and then drops the connection if there's no traffic in X minutes?

Yes take a read of this: https://github.com/nerd-one/VPN-OnDemand/blob/master/VPN%20OnDemand.mobileconfig

And my post here which shows where the code goes:

https://forum.netgate.com/topic/181588/ios-on-demand-vpn

No duplicates appeared over the weekend. Seems split connections is the way to go.

@cto_frank Changing the loglevel is only reloading configuration and not restarting services. So it's not rebulding anything but could theoretically correct an unwanted state. But the reason it works could as well be a special alignment of the planets... 👽 Anyways. Glad it's working 😏

Thank you for your response, but i am still on the same thing.
in log
Jul 17 15:20:12 martin-Legion-5-15IAH7H charon: 10[ENC] received fragment #1 of 2, waiting for complete IKE message
Jul 17 15:20:12 martin-Legion-5-15IAH7H charon: 10[MGR] checkin IKE_SA (unnamed)[2]
Jul 17 15:20:12 martin-Legion-5-15IAH7H charon: 10[MGR] checkin of IKE_SA successful
Jul 17 15:20:12 martin-Legion-5-15IAH7H charon: 11[MGR] checkout IKEv2 SA by message with SPIs d026565155dc83e0_i 76c33ab5aa293765_r
Jul 17 15:20:12 martin-Legion-5-15IAH7H charon: 11[MGR] IKE_SA (unnamed)[2] successfully checked out
Jul 17 15:20:12 martin-Legion-5-15IAH7H charon: 11[NET] received packet: from fd00:4444:5555:6666::2[4500] to fd00:1111:2222:3333::2[4500] (772 bytes)
Jul 17 15:20:12 martin-Legion-5-15IAH7H charon: 11[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
Jul 17 15:20:12 martin-Legion-5-15IAH7H charon: 11[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1920 bytes)
Jul 17 15:20:12 martin-Legion-5-15IAH7H charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jul 17 15:20:12 martin-Legion-5-15IAH7H charon: 11[IKE] received cert request for "C=CZ, ST=Czech republic, L=FrydekMistek, O=OU, OU=OU, CN=My CA, E=sasinka.martin@gmail.com"
Jul 17 15:20:12 martin-Legion-5-15IAH7H charon: 11[IKE] received end entity cert "C=CZ, ST=Czech republic, L=FrydekMistek, O=OU, OU=OU, CN=computer2, E=sasinka.martin@gmail.com"
Jul 17 15:20:12 martin-Legion-5-15IAH7H charon: 11[CFG] looking for peer configs matching fd00:1111:2222:3333::2[computer1]...fd00:4444:5555:6666::2[C=CZ, ST=Czech republic, L=FrydekMistek, O=OU, OU=OU, CN=computer2, E=sasinka.martin@gmail.com]
Jul 17 15:20:12 martin-Legion-5-15IAH7H charon: 11[CFG] no matching peer config found
Jul 17 15:20:12 martin-Legion-5-15IAH7H charon: 11[IKE] peer supports MOBIKE
Jul 17 15:20:12 martin-Legion-5-15IAH7H charon: 11[IKE] got additional MOBIKE peer address: 192.168.88.246
Jul 17 15:20:12 martin-Legion-5-15IAH7H charon: 11[IKE] got additional MOBIKE peer address: 192.168.1.48
Jul 17 15:20:12 martin-Legion-5-15IAH7H charon: 11[IKE] got additional MOBIKE peer address: fd00:1111:2222:3333:70cf:7fe3:26c5:7345
Jul 17 15:20:12 martin-Legion-5-15IAH7H charon: 11[IKE] got additional MOBIKE peer address: fd00:9999:8888:7777:9d4:e1dd:7a3d:502a
Jul 17 15:20:12 martin-Legion-5-15IAH7H charon: 11[IKE] got additional MOBIKE peer address: fd00:4444:5555:6666:7379:3fd6:6178:f67d
Jul 17 15:20:12 martin-Legion-5-15IAH7H charon: 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
So the problem is no matching peer config found

computer1 ipsec.conf
conn hosttohost
left=fd00:1111:2222:3333::2
leftcert=server-cert.pem
leftsubnet=fd00:1111:2222:3333::/64
leftid=@computer1
right=fd00:4444:5555:6666::2
rightsubnet=fd00:4444:5555:6666::/64
rightid=@computer2
keyexchange=ikev2
ike=aes256-sha256-modp3072
esp=aes256gcm16-sha384-modp3072
authby=rsasig
type=tunnel
auto=add

computer2 ipsec.conf
conn hosttohost
left=fd00:4444:5555:6666::2
leftcert=client-cert.pem
leftsubnet=fd00:4444:5555:6666::/64
leftid=@computer2
right=fd00:1111:2222:3333::2
rightid=@computer1
keyexchange=ikev2
ike=aes256-sha256-modp3072
esp=aes256gcm16-sha384-modp3072
authby=rsasig
type=tunnel
auto=add
Any ideas please?