I finally got around to this and it's working great. Thank you. If I wanted to route all internet traffic through the site-to-site VPN, is this article still valid? https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_IPsec_tunnel#Configure_outbound_NAT At the end, it says to modify the Outbound NAT at Site B (where you want your Internet traffic to exit), even though you want Site A to use the Internet at Site B. Is that still correct? Edit: This worked perfectly, I missed where it said to add a route of 0.0.0.0/0 at Site A, thus my confusion.

pfSense defaults work fine, considering you replicated the settings correctly on RouterOS.

Turn up the logging on both sides as detailed here: https://doc.pfsense.org/index.php/IPsec_Troubleshooting#Common_Errors_.28strongSwan.2C_pfSense_.3E.3D_2.2.x.29 Usually that would mean either there is a mismatch or it's not matching the connection properly (remote gateway and identifier are not matching)

Hm, at least Strongswan should be able to do what we need : https://www.strongswan.org/testing/testresults/ipv6/net2net-ip4-in-ip6-ikev2/ So it is not possible with the GUI settings or is it prevented by some other conflict? Any idea? Thanks Andreas

You can do this with gateway groups and dynamic DNS, but it is not very reliable. The best way to do it is to set up GRE tunnels over IPsec transport mode, with OSPF on top of it to handle the routing.

Hi daxpfacc, thank you for that hint. I just added both the OpenVPN and IPsec Subnets and allowed queries, but it still does not work. Kind regards, Jannik

Glad to have helped

Yes but the type of encryption can easily be tested after configuration in general and otherwise the article is up to date (and still working). But yes the article could be upgraded in respect of encryption.

I guess I got it -> it was a problem with the package HA-proxy. After uninstalling it, I don't have those effects.

Thanks.

The FTP is already in passive mode. But before the migration, they have any problem to transfer files with FTP via IPSEC and i am wondering where is the issue and if a new thing is here with this new version.

The raw output of 'ipsec statusall' would be helpful.

Thank you!

OK, so if I specify a Group Name in iOS, the request becomes aggressive.  It still fails at: May 10 12:06:15 charon: 06[IKE] <15> found 1 matching config, but none allows XAuthInitPSK authentication using Aggressive Mode May 10 12:06:15 charon: 06[CFG] <15> looking for XAuthInitPSK peer configs matching 192.168.XX.XXX…70.196.XXX.XXX[VPN] From VPN: IPsec: Edit Phase 1: Mobile Client - Phase 1 Proposal: Authentication method - Mutual PSK & Xauth Negotiation mode - Aggressive My Identifier - My IP Address Peer Identifier - Distinguished Name - VPN Pre-Shared Key - XXX What am I missing?

I think I figured it out…..very stupid, of course. It seems that if I ping the remote LAN subnet, the tunnel will come back up by itself. I suppose I could set the auto ping IP to the remote LAN IP and that should keep it up. I unfortunately don't have control over the other end (and the admin's that do are very incompetent) so I can't change to IKEv2 on the remote end. Would enabling 'Make before Break' have any effect?

Were you able to find a command to enable/disable IPsec tunnels from the CLI? I would also like to know if there is a way to do this, because I would like to implement an IPsec multi-WAN failover.