IPsec tunnels need NSA/GCHQ approval before coming functional, I had that several times in the past. openVPN the apparently crack on-the-fly, so they "work" out of the box… ;-)

Sorry, my bad. I did this several times but the "branches" were in fact OpenVPN tunnels, and they were connected through an IPsec tunnel between the main sites.

On the basis of how all this work, I don't think you can do what I mentioned earlier (although I never tried)

Probably your best bet is to use some dynamic DNS so you can establish a direct Ph1 between the branches, since you'll be able to ditch the 0.0.0.0/0 requirement

The plot thickens a bit more and I get more and more out of my depth of field.

I have toggled the following value:

net.inet.ip.redirect = 0 (default 1)

and communication between the Diskstation and Azure has been restored.

Have I set myself up for more problems by altering the above flag?

Thanks in advance!

You can't "route" it in the traditional way but depending on what you're trying to do, it may still be possible. It's all up to the Phase 2 networks in IPsec.

You can force all traffic over the tunnel from the LAN (local P2 net = LAN network, remote P2 net = 0.0.0.0/0) but that means everything from the LAN will be forced over IPsec.

Once it hits the other side you'll have to pass it in the rules, NAT it outbound, etc.

I believe your real subnet must match your binat subnet. Try making your local subnet 172.16.10.1 or something to match.

Update.
I updated the firmware this broke it completely.

So I removed the vpn config and added it back in and this worked again. with the same results. add a new user and it brakes.

any ideas?

I have two different sites with pfsense.
At my place I have also pfsense.
Trying to connect with ipsec vpn as a client to either site always results in error 809
All 3 places have simple one lan setups

@jamesbond:

I also have a very similar problem with slow traffic over IPsec tunnel, I am pretty newish to networking  but want to know if this is normal behavior for a IPsec connection

Site A – Data center has 100/100mb in and out
Site B – Home, has virgin media fibre broadband 150mb line gives me around 10mb upload max.

I have setup a PfSese server 2.2.6 at data center, my home network has a Draytek 2860.

I have a windows 2012 server in DC and when copying a file using windows explorer from home using a windows 7 machine I get speeds of around 1.5MB when copying the file to DC

I have also tried using PfSese at home to see if the draytek router was the issue, made no difference in speeds.

I have also tested IPsec using draytek router to draytek router noticed very poor speeds when copying a files across using explorer.

I have tested copying files across using FTP getting similar speed to windows explorer

I have used iperf to test speeds beteen A-site and B-site and showing up as decent bandwidth. Perhaps I am not understanding something or some kind windows SMB limit etc ?

CLIENT

Connecting to host 172.16.1.10, port 5201
[  4] local 192.168.50.102 port 50364 connected to 172.16.1.10 port 5201
[ ID] Interval          Transfer    Bandwidth
[  4]  0.00-1.00  sec  1.38 MBytes  11.5 Mbits/sec
[  4]  1.00-2.00  sec  1.25 MBytes  10.5 Mbits/sec
[  4]  2.00-3.00  sec  1.38 MBytes  11.5 Mbits/sec
[  4]  3.00-4.00  sec  1.12 MBytes  9.44 Mbits/sec
[  4]  4.00-5.00  sec  1.00 MBytes  8.38 Mbits/sec
[  4]  5.00-6.00  sec  1.00 MBytes  8.39 Mbits/sec
[  4]  6.00-7.00  sec  1.00 MBytes  8.39 Mbits/sec
[  4]  7.00-8.00  sec  640 KBytes  5.24 Mbits/sec
[  4]  8.00-9.00  sec  1.00 MBytes  8.38 Mbits/sec
[  4]  9.00-10.00  sec  896 KBytes  7.34 Mbits/sec

[ ID] Interval          Transfer    Bandwidth
[  4]  0.00-10.00  sec  10.6 MBytes  8.91 Mbits/sec                  sender
[  4]  0.00-10.00  sec  10.5 MBytes  8.81 Mbits/sec                  receiver

iperf Done.

SERVER SIDE

Server listening on 5201
–---------------------------------------------------------
Accepted connection from 192.168.50.102, port 50363
[  5] local 172.16.1.10 port 5201 connected to 192.168.50.102 port 50364
[ ID] Interval          Transfer    Bandwidth
[  5]  0.00-1.00  sec  1.16 MBytes  9.71 Mbits/sec
[  5]  1.00-2.00  sec  1.38 MBytes  11.6 Mbits/sec
[  5]  2.00-3.00  sec  1.33 MBytes  11.1 Mbits/sec
[  5]  3.00-4.00  sec  1.13 MBytes  9.44 Mbits/sec
[  5]  4.00-5.00  sec  1.09 MBytes  9.13 Mbits/sec
[  5]  5.00-6.00  sec  954 KBytes  7.81 Mbits/sec
[  5]  6.00-7.00  sec  986 KBytes  8.07 Mbits/sec
[  5]  7.00-8.00  sec  653 KBytes  5.36 Mbits/sec
[  5]  8.00-9.00  sec  1020 KBytes  8.35 Mbits/sec
[  5]  9.00-10.00  sec  795 KBytes  6.51 Mbits/sec
[  5]  10.00-10.10  sec  130 KBytes  10.9 Mbits/sec

[ ID] Interval          Transfer    Bandwidth
[  5]  0.00-10.10  sec  0.00 Bytes  0.00 bits/sec                  sender
[  5]  0.00-10.10  sec  10.5 MBytes  8.73 Mbits/sec                  receiver
–---------------------------------------------------------
Server listening on 5201

Actually i think I'm getting confused here, the file transfer i get using explorer is roughtly 1.5MB/s

1 MB/sec = 8Mbps,

so 1.5MB/s x 8 = 12Mbps, which kind of means there is no problem i just lacked basics foundations binary a network guys explained this to me which kind does add up.

Hi, thanks for the response.

I do though.

On both sides, I have the following:

ID Proto Source Port Destination Port Gateway Queue Schedule Description
IPv4 * 172.16.10.0/24 * 172.16.20.0/24 * * none
IPv4 * 172.16.20.0/24 * 172.16.10.0/24 * * none

Is it indicative of something that on the working side, the rule matched does not appear to be one of these I manually added?

ih

Thanks for your answer Jim! I'll try IKEv2 and the OpenVPN Clients then!

Today we were able to test. It just works!

Lex

Hi,

Firewall -> Virtual IPs -> Create an IP Alias.

.10 as interface IP
.11 as Virtual IP

In the ipsec configuration you can chosse interfaces and virtual IPs.
We are using diffrent IPs for IPSEP, OpenVPN and NAT - works fine!

Regards

Hi All,

thanks for the answers. We decided to take IKEv1 … Now it is working. :)

Regards,
M

@BlueKobold:

If this will not help oyu out then you should better disable at home the VPN part if you are
connecting to your home network internally.

Really?  So because I didn't understand what you were talking about, you quit helping??  How RUDE!!!!

Reading again the whole documentation, experimenting almost everything, SOLVED by changing under

Phase1
General information
Interface

From WAN to 1.2.3.4 (Carp WAN IP)

Can't understand why, but I started to try everithing…

now it does not go online (internet) but it pings remote ips.. and I have to understand if it's possibile, and how, to resolve some address using the remote local dns... but it's another story.

F

Found out the trouble when another poster had a similar problem.  My error was that I had imported the server cert and not the CA cert.  Imported the CA cert into Trusted CA store and now progressing with authentication.