"Responder only" would do exactly as you described – When the VPN times out or the keys expire, it will not automatically establish again. Unset that on both sides.

Hello Derelict, thanks a lot for your answer! The guide specifies that the host name of the firewall has to be entered both in the CN and in a SAN with the type "DNS". Since the DNS option doesn't exit in 2.3.2-RELEASE-p1, I chose "FQDN or Hostname", but I had already done that before I created this topic. In fact, just to make sure I wasn't remembering it wrong, I redid the whole tutorial from scratch with the same result. Since I was following the tutorial that I linked to and not the one you linked to, I hadn't tried out disabling the EKU check, but that lead to the same result aswell. Regarding the import of the certificate, I again followed every step in the tutorial and I can see the certificate authority in the certificate store.

Figured this out for wopping 15 views and no reply. Add additional P2 tunnels for each VPN. RED WAS ADDED TO WORK PFsense (1.1.1.1/24): VPN1 to 1.1.1.1/24 (to me) local int <-> 192.168.10.0/24 192.168.50.0/24<-> 192.168.10.0/24 VPN2 to 1.1.1.1/24 (to user) local int <-> 192.168.50.0/24 192.168.10.0/24 <-> 192.168.50.0/24

Bump :) I just need PFsense to be the DHCP server to another FW.

Thanks for your replies, but the ranges are completely different so the subnet bit would be ridiculous LOL. Multiple P2's arent too bad.

Just a quick update on this - I had been testing with my laptop and couldn't get this working and had to plug into something else so put the connection onto an IP phone (which is what the VPN is for). And it came to life! I then tried to send a ping from the phone to the end system across the VPN, and the issue came back. Took the cable out of the phone to reset it, back in, and now it's working again. So I'm now wondering if there's some erroneous NAT occurring on my end. If anyone has seen something like this before though, any responses would still be great. Thanks! Andy

Thank you for your quick reply. Had the same problem scottzech posted and I will probably use OpenVPN now.

It is possible and should work just fine. I did not test this setup myself on the pfSense however use Fortigate in the corporate environment. It is very popular setup where remote sites are connected to central VPN CONCRENTRATOR and that VPN concentrator is responsible for routing between sites. Remote end-points do not have any additional VPN connections to each other… Worth trying. Please share your findings after you implement this.

@manxam: From the host, I cannot ping any remote host including the router (10.10.10.1) Can you please verify TCP/IP settings on that host. You should be able to ping devices in the same subnet (router) with correct settings…

You know, as long as IPSec still works I'll just recreate everything from scratch.  The old one has been running since at least 1.2.3 so I wouldn't be at all surprised if some incompatibility finally crept in.  I'm not even going to worry with diagnosing it. Thanks for the reply.  :)

OpenVPN is OpenVPN. You will not find a tutorial for pfSense to every vendor out there. Is there a tutorial on Sophos' site for Sophos to pfSense? https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site

That client is not liking the transforms you have configured: Sep 30 16:24:48 05[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built If you set VPN > IPsec, Advanced settings logs to IKE SA, IKE Child SA, and Configuration backend to Diag leaving all others at Control you will get more logging about that exchange. It should show you what the Android device will accept.

added the VIP under identifiers for the IPSEC? By default they are the IP, if you change peer/local to example KEY_ID and then the designated identifiers, they also need to be matched on the other site. I used KEY_ID on my PFsense but on the sonicwall remote VPN, it was registering as FQDN ( ??? ??? ??? ??? ??? ) I had to change the sonicwall identifiers as FQDN instead lol. Remote GW is always the public IP of the other ends VPN tunnel, not a virtual IP, as it's created internally to use from the remote site.

Found something: https://redmine.pfsense.org/issues/4849 => https://forum.pfsense.org/index.php?topic=95573.0 =>https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN =>https://doc.pfsense.org/index.php/What_should_I_ping_for_IPsec_Keep_Alive It's not a bug, it's a feature  ;)

Thank you very much. I don't understand where the .84 is coming from (we should have only .83), I'll check with the guy in charge of the firewall on the other site.