@Hugh:

Can you confirm that you push the traffic levels you are hoping for without the VPN involved?

If you SSH in or look in the console, run ifconfig, what do your options look like:

options=60009b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,rxcsum_ipv6,txcsum_ipv6>Have a look at:

https://doc.pfsense.org/index.php/Tuning_and_Troubleshooting_Network_Cards

I'm suggesting that you might be having issues with the TSO and LRO areas.  Here is the full output of ifconfig:

[2.1.5-RELEASE][admin@pfSense.conway.local]/root(1): ifconfig
em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:88:5d:36
        inet 192.168.50.1 netmask 0xffffff00 broadcast 192.168.50.255
        inet6 fe80::250:56ff:fe88:5d36%em0 prefixlen 64 scopeid 0x1
        nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether f8:e4:fb:22:40:ee
        inet 72.92.54.39 netmask 0xffffff00 broadcast 72.92.54.255
        inet6 fe80::fae4:fbff:fe22:40ee%em1 prefixlen 64 scopeid 0x2
        nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
em2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:88:08:18
        inet 192.168.200.1 netmask 0xffffff00 broadcast 192.168.200.255
        inet6 fe80::250:56ff:fe88:818%em2 prefixlen 64 scopeid 0x3
        nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
plip0: flags=8810 <pointopoint,simplex,multicast>metric 0 mtu 1500
pfsync0: flags=0<> metric 0 mtu 1460
        syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
        options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
        nd6 options=3 <performnud,accept_rtadv>pflog0: flags=100 <promisc>metric 0 mtu 33144
enc0: flags=41 <up,running>metric 0 mtu 1536
ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
        options=80000 <linkstate>inet6 fe80::250:56ff:fe88:5d36%ovpns1 prefixlen 64 scopeid 0x9
        inet 10.8.0.1 –> 10.8.0.2 netmask 0xffffffff
        nd6 options=3 <performnud,accept_rtadv>Opened by PID 81705
ovpns2: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
        options=80000 <linkstate>inet6 fe80::250:56ff:fe88:5d36%ovpns2 prefixlen 64 scopeid 0xa
        inet 10.0.2.1 --> 10.0.2.2 netmask 0xffffffff
        nd6 options=3 <performnud,accept_rtadv>Opened by PID 86563
ovpns3: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
        options=80000 <linkstate>inet6 fe80::250:56ff:fe88:5d36%ovpns3 prefixlen 64 scopeid 0xb
        inet 10.8.8.1 --> 10.8.8.2 netmask 0xffffffff
        nd6 options=3 <performnud,accept_rtadv>Opened by PID 90177
ovpns4: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
        options=80000 <linkstate>inet6 fe80::250:56ff:fe88:5d36%ovpns4 prefixlen 64 scopeid 0xc
        inet 10.8.1.1 --> 10.8.1.2 netmask 0xffffffff
        nd6 options=3 <performnud,accept_rtadv>Opened by PID 94308

Right now none of the OpenVPN servers are actively used.

Thanks!

What sort of network cards are you using under ESXi, what have you setup under FreeBSD?</performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></up,running></promisc></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></pointopoint,simplex,multicast></full-duplex></performnud></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,rxcsum_ipv6,txcsum_ipv6>

Thanks Hugh for the reply.  Without the VPN tunnel I can download via web server at 4.1 MB/s from one location to the other.  I am using Intel Pro/1000 VT quad port nics in each ESXi host.

Both TSO and LRO boxes are checked on each side

@cmb:

I just reconfigured the LAN interface on pfsense to use a subnet mask of 255.255.255.0, which got propagated to the clients via DHCP, and now 10.0.0.5 is also having a mask of 255.255.255.0. And now I can fully access this host via IPSec!! :)

Thanks alot for your help, much appreciated :)

You could hack in BIRD if you wanted, but Quagga is already in packages for OSPF and would be a better option since it's integrated. That's an option with IPsec transport mode and GRE or gif, or OpenVPN.

That's never necessary, the connection(s) where you make changes get reloaded and only those connections. Restarting the service will drop all your VPNs.

Hi

Did you have any luck with this? I am having the same trouble with a SSG20.

Your P2s to the remote sites, and the mobile clients, must include the remote networks and the mobile IPsec network.

The section you're referring to is for site to site VPNs. Those either require a hostname or IP for the remote. For mobile clients, you want mobile IPsec which is separate.

What do your IPsec logs show for that connection?

Only way a VPN can be disabled is an admin going in and checking that box. Go to Diag>Backup/restore, config history tab, and you'll be able to find who did it assuming it wasn't a bunch of revisions in the past.

Hi,

I have the same scenario, but my IPSEC tunnel is not working, bernikm can you help me posting your config?

Thanks

Hi,
did you find any suitable solution to your issue?

I think I'm in the same situation (please see my post "Failover not working" in the IPSEC section), but since Ssptember I have not a single comment.  :(

Hi,
did you find any suitable solution to your issue?

I think I'm in the same situation (please see my post "Failover not working" in the IPSEC section), but since Ssptember I have not a single comment.  :(

It seems nobody knows about this problem, except we two.

Ok, problem solved.

How I missed it, I don't know, but the problem was DNS. I forgot to add UDP to the IPSec rule on the firewall. Doh!  :-[

It's exactly like a normal site-to-site IPsec setup, but the dynamic site needs a DynDNS host setup, and the other end uses that for the remote peer address.

I have the same problem. I haved stablished the tunnel, and from pfsense the ping return.

I have presented a different network to mine. but not how to do NAT. Can you give an example? Please

example my configuration Phase 2
Local network (UP) 192.168.1.2/32
local network nat (down) 10.0.0.2/32
remote network 10.22.0.0/20

Thanks,

@starkiller:

        my_identifier keyid tag "VPN";         peers_identifier keyid tag "VPN";

I know this a reply to an old post but I think the my_Identifier KeyID tag should be different to the peers_Identifier KeyID tag.

I think I am having the same problem.

I added a second WAN (ATT) and changed the default gateway to the new ISP (ATT) and modified the rule for ipsec to use the SONIC gateway.

When the default is set to ATT mobile IPSEC fails.
When the default is set to SONIC it has no issues.

Check at Untangle, must be something block IPSec tunnel to establish