That is not currently possible if you go by IP address. If you can track it with dyndns, and the DNS record changes when the far side IP changes, that would work. It's not possible to put two peer IPs on the tunnel though so outbound failover wouldn't work that way either.

Hi, if both boxes are identical maybe the environments are not. How much CPU usage do you have at idle and while performing the speed test (on both sites)? Given you never reach line speed I suspect you hit 100% CPU usage.

Your local subnet looks like 169.254.255.82/30. Per RFC 3927 this is a link local address which is not routable. Your remote subnet looks like 169.254.255.81/30. This is again link local, and on the same subnet of the local address. IPSec is supposed to connect two different subnets. What is your local LAN? What is your remote LAN (AWS)?

dimmon, looks like your remote gateway and remote lan are on the same network (ie 216.200.x.0/24). Another strange thing is the remote host you want to connect to is a public IP (216.200.x.5) which you could connect to directly without IPSEC. I think your setup should be something like this   local_lan  <-->  local_gw    pfsense  local_public_ip  <--> remote_public_ip  remote_router  remote_gw  <--> remote_lan 10.20.30.0/24      10.20.30.40            ?.?.?.?              216.200.x.1                    x.x.x.x        x.x.x.0/24

I am having a similar issue with an Ubuntu Machine. A Network 10.10.1.0/24 B Network 10.10.2.0/24 C Network 10.10.3.0/24 I have setup an Ipsec VPN tunnel from A - B, and A - C (all pfsense Boxes) I have an Ubuntu Server on A network. An ubuntu machine on B network. When I ping/ssh from the Ubuntu machine on B to A network, i am getting a Host Unreachable/Destination Host Unreachable The Ubuntu machine can resolve the host and Ip as is confirmed with a DIG -x command. The Ubuntu machine on B can ping the local pfsense router and anything local or internet based. But it cant ping anything on the A network including the A router. All other devices have no issue. Just this one ubuntu machine. I have no issue with connectivity between the A and C networks. If I run this command on the Ubuntu machine in B network sysctl -w net.ipv4.ip_forward=1 I can ping/ssh from A <-> B.  The ubuntu machine has one NIC and two additional for a TAP monitoring system so they are set to eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx           inet addr:xx.xx.xx.xx  Bcast:xx.xx.xx.255  Mask:255.255.255.0           inet6 addr: xxxx::xxx:xxxx:xxxx:xxxx/64 Scope:Link           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1           RX packets:750659 errors:0 dropped:0 overruns:0 frame:0           TX packets:460220 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:1000           RX bytes:122675477 (122.6 MB)  TX bytes:409259079 (409.2 MB)           Interrupt:19 Memory:f0180000-f01a0000 eth1      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx           UP BROADCAST RUNNING NOARP PROMISC MULTICAST  MTU:1500  Metric:1           RX packets:4857110 errors:0 dropped:0 overruns:0 frame:0           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:1000           RX bytes:1017130172 (1.0 GB)  TX bytes:0 (0.0 B)           Interrupt:16 Memory:f0280000-f02a0000 eth2      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx           UP BROADCAST NOARP PROMISC MULTICAST  MTU:1500  Metric:1           RX packets:0 errors:0 dropped:0 overruns:0 frame:0           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:1000           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)           Interrupt:16 Memory:f0300000-f0320000 lo        Link encap:Local Loopback           inet addr:127.0.0.1  Mask:255.0.0.0           inet6 addr: ::1/128 Scope:Host           UP LOOPBACK RUNNING  MTU:16436  Metric:1           RX packets:554233 errors:0 dropped:0 overruns:0 frame:0           TX packets:554233 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:0           RX bytes:783922279 (783.9 MB)  TX bytes:783922279 (783.9 MB) route -n Kernel IP routing table Destination    Gateway        Genmask        Flags Metric Ref    Use Iface 0.0.0.0        xx.xx.xx.xx      0.0.0.0        UG    100    0        0 eth0 xx.xx.xx.0      0.0.0.0        255.255.255.0  U    0      0        0 eth0 169.254.0.0    0.0.0.0        255.255.0.0    U    1000  0        0 eth0 So when the "sysctl -w net.ipv4.ip_forward=1" ping and ssh works but the traceroute doesnt seem as expected. I dont understand how the machine is forwarding when only one NIC has an address? PING xx.xx.xx.xx (xx.xx.xx.xx) 56(84) bytes of data. From xx.xx.xx.xx: icmp_seq=1 Redirect Host(New nexthop: xx.xx.xx.xx) 64 bytes from xx.xx.xx.xx: icmp_req=1 ttl=63 time=46.8 ms traceroute xx.xx.xx.xx  (Traceroute from SO Sensor to SO Server) traceroute to xx.xx.xx.xx (xx.xx.xx.xx), 30 hops max, 60 byte packets 1  xx.xx.xx.xx (xx.xx.xx.xx)  0.545 ms  0.532 ms  0.519 ms 2  * * * 3  * * * 4  * * * 5  * * * 6  * * * 7  * * * 8  * * * 9  * * * 10  * * * 11  * * * 12  * * * 13  * * * 14  * * * 15  * * * 16  * * * 17  * * * 18  * * * 19  * * * 20  * * * 21  * * * 22  * * * 23  * * * 24  * * * 25  * * * 26  * * * 27  * * * 28  * * * 29  * * * 30  * * * There are no Blocks in IPTables and UFW is set to allow the connectivity. If anyone has any suggestions, I would appreciate it as I've tried several things to fix this issue without success.

As per diagram above, I'm connecting from a remote client (192.168.1.0/24) to pfsense, which is on 192.168.0.0/24. The router pfsense is behind is 192.168.0.2. Also, ipsec client will be 192.168.99.0/24. Added a rule on that router (192.168.0.2) for anything 192.168.99.0/24 directs towards pfsense (192.168.0.110). Still, the VPN client(192.168.1.137 or virtually 192.168.99.1) cannot access anything on the other side of the tunnel, nor can a PC on the 192.168.0.0/24 network ping the client. Only concerned about the former though. Looks like it'll be a long weekend…

well, it seems that with openvpn, I dont have this issue.

I've tried with previous version of pFsense and i figure out following: traffic from internal network to outside stop working when I add this static route, which has remote GRE ip address for gateway, to explain it a bit more (ip addresses are not real in following example) WAN on my side 193.2.2.116 (IPSEC) GRE on my side 193.2.2.116 WAN on provider side 89.22.33.233 (IPSEC) GRE on provider side 76.44.33.211 I'm having both ipsec and GRE on same FW, provider does not, so ipsec needs to be established first for GRE to work problem here is that as soon as I enter this static route like 10.20.40.64/27 via 76.44.33.211 (remote GRE) on my pfSense firewall my default GW is not reachable anymore, so DNS queries, ntp, browsing etc … is impossible from internal side. traffic from outside still works, ipsec and GRE are up, but's it's really annoying, I can't even update my windows server behind pfSense, any ideas, anyone?

No ideas?  I just need some pointers on what to check.  So far I've come up empty.

It seems to be related to: https://redmine.pfsense.org/issues/3321

Hi, I have found the SOLUTION to the problem. It was the Failover configuration on System> Routing> Groups tab. I remove entries there temporarily as I'm only at a lab environment. I found the log using the following commands: #clog /var/log/system.log |grep php