@mralvi22244
As I wrote, the above with BINAT in IPSec is meant for policy-based tunnel.

The last one is how I think, it has to be configured with VTI.
However, I'm unsure if it will work with the stated local / remote addresses, 192.168.227.253 / 10.10.10.10. Accordingly to the pfSense docs both addresses have be within a (transit) network. But yours obviously aren't. Don't think, that IPSec can do PPP.
But these are the data you stated.

@NOCling said in (yet another) IPsec throughput help request:

How do you move your Data?

rsync - have tried both an NFSv4 mount and over ssh (for testing purpose)

@rcoleman-netgate 2.png

@JustSumDad no need to mask RFC1918 addresss.

Ping is NOT a TCP/UDP action. It's ICMP. That's why they aren't passing.

@viragomann

It's working fine with leaving the Remote IKE port field blank.
Now the Server A is using the custom NAT-T port as intended.

Thanks for your help.

@viragomann I don't know when or why I set that, but I removed it and that appears to have resolved the issue.

Thank you!!! I don't think I'd have ever figured this out on my own.

LAN gateway2.png

@thomaspsimon said in IPSec with dual WAN:

@NOCling said in IPSec with dual WAN:

Do you have try enable the Mobike Option on both sitets?

tried, but no luck.

The issue here is Local Host is not changing from the failed WAN IP to the failover WAN IP automatically, without that it will not happen, if i am not wrong. Please see the screenshot.

Branch IPSec.JPG

it seems the link https://redmine.pfsense.org/issues/13076 talks about the same issue and an edit to rc.ipsec file fixes the issue.

But didn't get how to make that edit.

@iulianteodor
Lots of variables. You're going to need to add some more details. Policy based or routed? What's the other endpoint? Any NAT involved, etc...

@jimp said in 2 Clients Connecting from Same Public IP Fail:

Do you have hybrid or manual outbound NAT rules that setup static source port for 4500? That shouldn't be necessary and may be interfering with the clients.

NAT-T works fine with a randomized source port, so having outbound NAT preserve a static source port could break it for multiple clients.

I do not, but I suspect the provider at our DC does?

Reading up on it, it sounds like they’ve turned on some kind of IPSec pass through / helper feature on their side…which is not helpful!

@TheWaterbug

You'll need a few things, might seem like a lot but it's actually quite easy with the pfSense ipsec wizard!

Setup your VPN settings in pfSense for IPsec tunnel to use EAP TLS I.e. this is using a CA that you setup, a Cert for the IPsec Server, and a cert for each client. Download the config with the pfSense package "ipsec-profile-wizard" Test this config works by now loading that .mobileconfig onto your phone.

https://www.derman.com/blogs/iOS-IPSec-VPN-OnDemand-Setup

Section 3 there "3. Import the IPSec VPN configuration profile onto the iPhone" provides instructions for apple configurator, or just emailing it to yourself.

Once you've got the above working nicely, you know you have a secure VPN with cert based auth and you can add in the few line that I posted above to the .mobileconfig file, and then upload that to the phone in question.

N.B.

You MIGHT have to "Supervise" your iphone for this to work...
For "Always On VPN" you 100% need it supervised, but I THINK that with "On Demand VPN" you don't have to.

https://www.miradore.com/knowledge/ios/enable-supervised-mode-on-ios-device-using-apple-configurator/

That should get you started.

@stbellcom said in IPSec preformance:

Hello,

I currently have two Netgate 6100 setup in the lab connected to each other via 2.5gb/s and then running a IPSec VTI tunnel over this connection.

On each end I also have two pc's with 2.5gb/s running Iperf3 for testing.

About the best speed I can get is around 1.01 Gbits/sec though the Netgate spec says it should be around 1.8 Gbits/sec for the 6100

I have tried the recommended settings from this page:

https://docs.netgate.com/pfsense/en/latest/vpn/performance.html#optimal-encryption-settings

And a bunch of lesser secure with QAT | AES-NI enabled/disabled without much change.

Is it realistic to be getting 1.8 Gbits/sec in a lab setup and does anyone have recomendations on which encryption cipher to use to get raw speed though the VPN ?

Thanks

Can you get the 1.8 Gbps with just NAT?

i.e. get rid of the IPSEC tunnel, port forward iperf ports and just santiy check that the bandwidth is good for that?

Would be a good step to test to ensure the path is setup correctly for over gigabit speeds.

@TheWaterbug said in Mobile IPSec VPN On Demand from iOS/macOS?:

This may be more of an iOS question than a pfsense/IPSec question, but is there a known way to have an iOS/macOS device automatically connect to my pfsense 2.60CE IPSec endpoint, but only when attempting to connect to specific IP addresses inside that LAN?

For example I currently have my security camera system port forwarded in from ACMERocketCars.dyndns.org:80 to 192.168.50.3:80. That's on a separate subnet, firewall off from all my critical infrastructure, but it still seems a bit scary to have a machine widely exposed on the internet.

I already have a mobile IPSec tunnel set up that works from both my macOS devices and my iOS devices, but I have to "dial" it manually every time, which is inconvenient any time I want to just quickly check a camera.

Is there a recipe for creating a configuration file that I can load on my macOS and iOS that auto-dials my VPN connection if I attempt to access 192.168.50.3:80, and then drops the connection if there's no traffic in X minutes?

Yes take a read of this: https://github.com/nerd-one/VPN-OnDemand/blob/master/VPN%20OnDemand.mobileconfig

And my post here which shows where the code goes:

https://forum.netgate.com/topic/181588/ios-on-demand-vpn