Ok so I do understand the basics of setkey after I have been reading up on this all day. But I can't seem to add any entries. It doesn't matter what I type into the command line the only response I get is: setkey: No match. I am trying to setup the captive portal on the OPT1 interface, but because the interface is not reachable because I have an IPSec tunnel from the interface the captive portal does not work. My interface is IP: 10.11.15.1/24 Could someone please help me out with the command for setkey? Thanks

yes, there I created a any-any-any rule so it's not blocked by firewall (normally) When I start debug on te SRX side I see that traffic is going into the tunnel, but not coming out on other side :-)

now I check the Virtual IP bug look the responder only mode and all other points from this Post on last Days. I have no clue what ist wong after the update to 2.2.1 always wrong remote address ??? Thanks for your Help

thanks everyone! We use VPN tunnels to a lot of 3rd party devices, including ASA, Fortigate, Sonicwall, Palo Alto, etc. I can confirm that you don't need Route-based or Policy-based on both end, it's only matter locally. well, for now, we can go with Policy-based, once there is a need, I'll look into these options again.

I have fixed it. Just restart the Fritzbox. There was no issue in my config.

Because they do not match!

Hmmm… so post some logs about how's it now working.

You should be able to do this on a Cisco router, I've done it on ASAs. Quick google turns up this, which may help: http://www.cisco.com/c/en/us/support/docs/routers/3800-series-integrated-services-routers/107992-IOSRouter-overlapping.html

Just when you think there's no options left you solve it on your own ;-) I ended up setting up another pfSense just for IPSec and 1:1 NAT all ports/protocols for IPSec from the primary pfSense to it. I added a second network interface with an IP in the 100.72.13.160/29 subnet to the new pfSense vm and created the IPSec connection like I did before. We then set up another database VM with its primary network interface also in that subnet and the IP of the new pfSense as gateway. Everything was working as expected from then. I ended up having a lot of TCP:RA drops and blocks from another remote location connected via OpenVPN on another VM (but in the same VLAN) which was solved by setting the firewall mode to conservative. Any idea why that is needed?

It turned out that the internet connection I use from home already employs IPSec/L2TP to create a tunnel via die wireless services the ISP uses, so instead of figuring out which PMTU, icmp and MTU and whatever else to use, the tunnel was simple established from my Mikrotik router instead of from my laptop, which works 100%. If I'm on the road then the tunnel from my laptop works fine.