@burlugoz: Services > Proxy server > General You have to check field "Bypass proxy for Private Address Space (RFC 1918) destination". If unsuccessfull, input address  spaces of all your local networks (or just lan-IPs of yours routers) into field "Bypass proxy for these destination IPs" (for example, "192.168.1.0/24;192.168.1.0/24" or "192.168.0.0/16"). Also check your NAT settings. It will be a good idea to configure Outbound NAT traffic rules manually. This settings work good for me: "Interface=WAN; Source=192.168.0.0/16; Source port,Destination address and Destination port=any; NAT address=WAN Address; Static port=YES". Good luck;) thank you! :D one last question is it possible to setup squid and squidguard at the main  and have all traffic pass though the IPsec vpn? I want to setup squid and squidguard at the main office only and be able to filter though the vpn. does that make sense?

That did it!  Proxy ARP to the rescue. Added the subnet under Virtual IPs and BAM!  A tunnel I had previously established that was constantly pinging and printing failures all of a sudden started returning ping times.  :D Thank you very much for the quick reply and the hint!

@cmb: brevilo: your issue is different, please start your own thread. Fair enough. It looks similar to this and I'm gathering logs right now…

@brevilo: I'm still having connection issue after rekeying (incl. multiple SAs) with 2.2.5 at both ends. I understood that the workaround above shouldn't be required anymore. Is it sill? No it's not. There are no longer any general issues along those lines (though any number of config issues could potentially result in symptoms like that). Start a new thread describing what you're seeing, and what your logs show.

By "local network address", you mean the IP that actually gets assigned to the AWS instance? AWS doesn't allow that, it must be NATed.

@ocset: Hi I have successfully set up a VPN connection between my pfsense firewall and an Azure 2012 Server. I can see the server from within my network (ping, view shared folders etc) but I am unable to see my network from the Server. The network setup is as follows: Office network - 192.168.0.0/24 Azure network  - 10.0.0.0/24 (IP range 10.0.0.4 - 10.0.0.254) Azure Subnet 10.0.0.0/27 (IP range 10.0.0.4 - 10.0.0.30) Gateway 10.0.0.32/29 (IP range 10.0.0.36 - 10.0.0.38) The Azure server has a DHCP address of 10.0.0.4 and a gateway of 10.0.0.1. I don't understand why a gateway of 10.0.0.1. Based on my network config above, I would have expected the gateway to be 10.0.0.36 or higher. I can't ping 10.0.0.1 but can ping 10.0.0.36 from both networks. I have tried changing the Server's default gateway to 10.0.0.36 without any luck. I have disabled the firewall on the Server and created a firewall IPsec rule on the pfsense box to allow all TCP/UDP traffic from everywhere on all port. Still no luck Anyone know what may be wrong? Thanks O. Try setting your firewall rule to be for protocol "any" instead of TCP or UDP. That way pings can get through (they use ICMP). Also, does your LAN have a firewall rule allowing inbound traffic?

L2TP/IPsec is troublesome. You are better off deploying IKEv2, which works fine with the client built in to Windows 7.

@doktornotor: Basically, no… https://redmine.pfsense.org/issues/475 i hope this is no longer a limitation with pfsense 2.2 Refrence : https://doc.pfsense.org/index.php/L2TP/IPsec I will try implemnting it and see if it works.

@lctech Allowing to select multiple servers for your use case (load balancing, high availability) could be easily implemented because strongSwan can do that already. I opted against allowing multi-selection in April because in my understanding multiple defined servers would mean asking each of them in turn, which is what the xauth-generic script does. So the selection there would have been ambiguous.

Not that I've seen or heard of. Check status on both sides, including the SPIs under Status>IPsec, SAD tab, which should match. Make sure you have DPD enabled on both sides. Beyond that, would need IPsec logs from both sides a bit before and after it stops working.

Guide is on the wiki linked already. It works in some cases, not in others, all depends on the client. No better or worse on 2.2.5 than other 2.2.x releases. Some clients are OK, others (Like Windows behind) are not. IKEv2 is the best way forward. Ignore L2TP/IPsec if at all possible.

Unfortunately that isn't possible with policy-based IPsec. It will grab anything and everything that matches the Phase 2 network(s), and will only accept traffic that matches the Phase 2 network(s). If we ever gain route-based IPsec (which we may, eventually, lots of us would like to see it) then it would be possible if both sides can do it.

I cannot see what suggestions exactly you expect. There have been shitloads of complaints about strongswan since 2.2 release. If you want a stable VPN, ditch this IPsec thing. Waste of time. (And. if throughput it your concern, then sorry to say but Alix is NOT a fit for purpose device in the first place. As noted above, with AES128 and cryptodev, the difference is absolutely marginal. If it was "pretty big" then you need to configure OpenVPN properly.)

I may have found my problem…looking like apinger and the draytek router. I'll report back if no avail. Cheers

Nothing was wrong - it works! Menu: Status - IPSec: Disconnect/Reconnect have to be used! Uwe

Thanks for the follow up. The ones that were working had to have been initiators rather than responders in that case, as your modem likely was only blocking inbound, not outbound, traffic.

@David_W: If possible, I would try to edit the configuration to reduce the maximum packet size needed. Indeed, ipfire is almost certainly doing something wrong, or has a poor config, where it's sending 10000+ bytes there. What David noted will work around the issue, and we ought to have that available as a tunable value. But you should really figure out why that's happening and fix the config on the ipfire side.

Upon looking at this further, I can see that the phase two entry I setup is not coming up as the rest of the tunnels are. I have verified, by turning on logging on the pass rule on the LAN interface, that my traffic is hitting the PFsense box and that the traffic is being passed. What I can't find a way to see, is where that traffic goes. Why doesn't the phase two entry come up after matching that traffic. I am digging into the IPsec logs, but it's difficult to read. there are a few tunnels working already, so there is a bunch of stuff in there.