My android will not even connect to even external AP WiFi in 23.09. Other devices connect just fine.

@anthony-breen If are trying to work with other brand, add more algo in phase 1 and phase 2, if u don't have the doc where u can see what algo he need u need to do reverse eng. Add more, maybe he is searching for less secure algorithms. The only issue is that if u are in pfsense 2.7.x and they request less secure algorithms, U will be not be able to make work. [image: 1701102144912-phase.png]

@dsmoljan not possible, I ask the same!!!

@keyser is a shame, but well is a feature that will be great to have. Any way thanks for your info!!!

@periko hi thanks for the reply, i ended up just putting the IP of the fortigate WAN ip and NAT

Got it, so is not a must to have this for reaching other side's computers :)

@HKFEVER Confused. Remote client's subnet is 192.168.5.0/24 Site B IP is 28.37.35.162, subnet is 192.168.2.0/24: Tunnel B <-> C: P1 is connect to Remote Gateway 38.37.35.162 P2 is connect to Remote Gateway's network 192.168.3.0/24 (this is Site A's subnet) For additional 2nd P2, what network should I put in? Tunnel B <-> A: P1 is connect to Remote Gateway 18.37.35.162 P2 is connect to Remote Gateway's network 192.168.1.0/24 (this is Site A's subnet) For additional 2nd P2, what network should I put in? Site A IP 18.37.35.162, subnet is 192.168.1.0/24: Tunnel A <-> B: P1 is connect to Remote Gateway 28.37.35.162 P2 is connect to Remote Gateway's network 192.168.2.0/24 (this is Site A's subnet) For additional 2nd P2, what network should I put in? Site C IP 38.37.35.162, subnet is 192.168.3.0/24: Tunnel C <-> B: P1 is connect to Remote Gateway 28.37.35.162 P2 is connect to Remote Gateway's network 192.168.2.0/24 (this is Site A's subnet) For additional 2nd P2, what network should I put in?

@keyser said in IPsec Logging levels can no longer be changed..: @jimp Hi Jimp. thanks for the insight and analysis. Will there be a patch for this in the patch tool? Yes, eventually, might be next week or later, but you can add in a manual entry now (copy/paste that diff above) and apply it now if you don't want to wait.

@Redbob 172.24.38.1 doesnt have a route to 10.254.124.0/24. Your options are either to create static routes on each hop. use dynamic routing protocols such as OSPF or BGP.

Phase1 [image: 1699196870320-35d54499-95cc-4bc7-a19f-ee36e9d26922-image.png] [image: 1699196907335-0853b47a-24d0-4420-8a19-dc9ec1f62e37-image.png] [image: 1699196978940-502b6db4-5a9d-4491-a3dd-84362f44c8b1-image.png] Phase2 [image: 1699197020458-edf50591-7508-479b-8fb7-ba94baef191b-image.png] [image: 1699197042256-b8a82af2-cf39-4d62-9ac4-2164ef4eab88-image.png] Mobile Client section [image: 1699197113657-186d59c4-d427-48e6-a5b6-23d069f88e59-image.png] [image: 1699197089419-cc306b4c-5e64-49d5-8ee0-4f60bb14ee65-image.png] [image: 1699197128654-3068fe04-9607-470e-a8c9-d7324e97b0e9-image.png]

You might be able to make it work using Routed VTI interfaces. So you would need 3 distinct IPSec connection, one for each gateway. Each connection would be in Routed VTI mode under Phase2. You then define a /30 address space for each tunnel pair. You can then run OSPF on these "VTI" and assign different priorities. So when all is said and done, from your side, you would have 3 next hops to the remote network. If the IPSec tunnel is down to a gateway, obviously it won't show up in your routing table since the routing protocol would detect that. The routing protocol priority would determine which gateway you would use first if all 3 tunnels are up at the same time.

@jba Glade that you got it working. You're right, all subnets you want to connect across the IPSec need to be stated in a phase 2 as well.

Hi, I'm facing exactly the same issue. I presume that after 2 years, you found the root cause. Could it be possible to let us know the solution ? Thanks for your feedback. Cheers.