Are both devices here pfSense? I've had a similar issue before where I was using the peer identifier as it's IP address on an IPSec VPN and for some reason it would just not authenticate, manually specifying the same IP that was being used automatically ended up fixing the issue, it was a very odd bug (I would assume, I'm quite experienced with IPSec) from a while back, ended up rebuilding the VPN recently but went back to using the peer IP and it authed totally fine. Are you on the latest pfSense? Here is my original post about this from a while ago, it may not be the exact thing you are facing but sounded similar, never did get any replies from it (though I haven't encountered it again yet so I'm not to worried about it unless yours ends up being the same issue). https://forum.netgate.com/topic/176502/had-to-manually-specify-identifier-ip-address-no-nat-involved-bug

This is super odd, we are connect back and passing traffic out of the blue - could this be some really crazy ISP thing?

Re: Netgate 6100 PfSense to Edgerouter Lite - IPSEC site-to-site - works with PSK but NOT with PKI / X509 If anyone comes across this, I was able to resolve it. The Edgerouter/EdgeOS software is picky about the names. On the PfSense side, the "My Identifier" field needs to be set as "FQDN", and must contain the SAN in the certificate. If no SAN, most likely the CN (common name) will work, as it did in another test. [image: 1696439104673-f9deede4-a2ad-4ef2-8af1-b4026980411c-image.png] Note that in my attached picture, the SAN (subject alternative name) LOOKS like a FQDN, but it is actually just a name. I hope this saves someone else 4 days of troubleshooting : )

@viragomann https://drive.google.com/file/d/1U4xVpBn2VD4lW1foMkEwjUCVFd-gpfTd/view?usp=drivesdk Firewall has started negotiating with router which is next to it, instead of actual another pfsense firewall. In the red box there should be ip address of another firewall... please help

@will2liv said in IPsec VPN between version 2.7.0-RELEASE and 2.4.0-RELEASE: Router 1 which is remote and I don't have physical access to is running pfSense Version 2.4.0-RELEASE. The system says "The system is on the latest version." Did you try to select a newer branch in System > Update?

@michmoor Thanks so much for the response. After further digging, it turns out that I was just being dumb and not paying attention to what I was doing. I was jumping from adapter to adapter, connection to connection running around the building with my laptop. I didn't realize that the dock I had plugged into left me wireless. Once I figured out I was chasing my tail and wired myself, I was able to all but max out the connection at 35MB/s. I also looked and one site is 500/500 and the other is 300/300., so the 35MB/s makes complete sense. With that said, I'm going to bump up the second site to 500/500 on Monday. Any suggestions on how to pair the IPsec settings with the settings for the cryptographic hardware?

@aryanrai Did you add firewall rules to the IPSec interfaces to allow access from the other site? Or do you try to ping the LAN device in the other network? In this case you have to ensure that the device also allows access from a remote network. For testing disable its firewall.

Thanks @jimp - I found that out with additional reading, so changed tack and now am using OpenVPN with ESET Secure Authentication, which works well and provides convenient push authentication.

Just want to reply here my discoveries, to save people the hassle of attempting this to find out it does not work, there are two types of GRE tunnels, GRETAP and GRETUN, one supports layer 2 features such as broadcast/multicast and one does not, the PFSense implementation appears to use the later which does not support this feature, please see the following article to show the difference https://developers.redhat.com/blog/2019/05/17/an-introduction-to-linux-virtual-interfaces-tunnels#:~:text=While%20GRE%20tunnels%20operate%20at,header%20in%20the%20inner%20header. You would need a local UDP relay instead (on the client side) to instead allow the client to relay these broadcast message as unicast to a specific host, I struggled with this for Windows File Sharing (WS-Discovery) broadcast packets and ended up resorting to a script that auto maps all network drives on successful client connection, perhaps someone could get this working with a L2TP on top of Wireguard? https://github.com/sparky3387/automapwireguard - Shameless plug of the automap script if someone else also needs this.........

That is expected and noted in the GUI: [image: 1694529006076-c93e825d-26f0-4859-99eb-5d883a0f76d3-image.png] There is also more detail in the docs: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configure-p1.html#ike-endpoint-configuration

@gorberus is the local unit able to route to internet using the second card?

@Topogigio the problem persists. After a few days pfSense stops binding the IP address on the established tunnel interface. I've started to build a new opnSense gateway, but if there is some pfSense solution I'll be happy

@jto82 You may use OSPF, not static, than it will be easy

@Moses_Kabungo said in Setting up a site-to-site IPSec tunnel with a Vendor who needs to reach us via a public IP other than the WAN address: no CHILD_SA built From this error message, I"d assume that there is something wrong with the phase 2 configuration. But I don't know, what you're set there.

@HKFEVER Fail, if I try to connect Office's pfsense IPsec from WIN11 through Home router gateway with NordVPN on! OK, if I connect Office's pfsense IPsec from WIN11 through Home router gateway with NordVPN off :) But then after connected: WIN11's gateway becomes Office's pfsense default gateway. which don't exit out through Office's pfSense's NordVPN setup! If I un-checked "Use default gateway on remote network" in WIN11's ADVANCE TCP/IP Setting, then the gateway will become WIN11's NIC gateway. Which in theory, I can use NordVPN app in WIN11. I didn't try yet, as too busy :( Here is the new question: How can I set the WIN11's Internet request to go through "home or some cafeshop's" gateway to Office's pfSense and exit out to internet through Office pfsense's NordVPN setup? I have send too long to figure out the rules in pfSense and still no go. May be need to find professional help :(