@itou-0 glad to hear it but that doesn’t make much sense. The drive isn’t involved in routing unless the firewall rule is logging every packet. (Shrug). Maybe the drive was dying?

The log
the problem is in con4

pfsense_erro_ipsec.txt

Someone can help?

Hi Jeff
In the Advanced Settings tab of the IPSec tunnel under Advanced IPSec Settings change "Configure Unique Ids as " from Yes to Never.

This should ensure that for each new connection it doesnt kill the previous connection for same user.

Kind Regards

Description of Setting

"Whether a particular participant ID should be kept unique, with any new IKE_SA using an ID deemed to replace all old ones using that ID. Participant IDs normally are unique, so a new IKE_SA using the same ID is almost invariably intended to replace an old one. The difference between no and never is that the old IKE_SAs will be replaced when receiving an INITIAL_CONTACT notify if the option is no but will ignore these notifies if never is configured. The daemon also accepts the value keep to reject new IKE_SA setups and keep the duplicate established earlier. Defaults to Yes."

@geyser
So the remote site says that it doesn't accept the additional phase 2.
So I'd suspect that it's not configured there or has different parameters.

Changing the MTU to 1460 & MSS to 1432 solved the problem

I had similar problems and changing the MTU to 1472 allowed traffic to pass

@dehaas I had similar problems and changing the MTU to 1472 allowed traffic to pass

@dalicollins
I am just trying to ping both ways. I can ping from the Windows client to Pfsense box, but not from the LAN on the Pfsense box to the Client. The client is on a its own dynamic IP network with a small router. The router has IPsec passthrough enabled.
I added the following IPsec rule and Phase 2 Tunnel
VPN9.jpg
VPN10.jpg

@dalicollins
pfSense can handle all this pretty well. It gives you full control which traffic to route out to which gateway. You can determine this by source IP or / and ports or destination IP or or / and ports or both.
Just a few firewall rules on a single place.

And the nicest part, it can failover the upstream traffic to the other WAN in case of a dropout of the primary connection. Also it's possible to load balance all upstream traffic permanently.

I can't see any reason for running an additional router for VPN only.

UPDATE:

Possibly one more clue to the puzzle. Looking at the status page of the local side when trying to connect, this is what I end up seeing:

local_ipsec_status_page_connecting.jpg

There ends up being 2(!) connections which show up. The only difference appears to be the "NAT-T" behind the host on the generated connection. I'm guessing that's because it's detecting a NAT at the remote end? Possibly the ISP using NAT and screwing up the communication between both points (thus causing decryption to fail)?

Unfortunately I don't have access to Cisco.

@nocling I have not activated MOBIKE. From my point of view, this is not necessary for a site-to-site VPN connection.

Here are my P1 Settings:
Screenshot 2023-01-29 150303.png

Here are my Advanced IPsec Settings:
Screenshot 2023-01-29 150111.png

I also activated Asynchronous Cryptography, but I didn't see any advantages during testing, so I deactivated it again.

I am at a loss and do not know if the problem is due to the pfSense settings. With the Netgate 1537, do drivers for the hardware also have to be updated in addition to the pfSense? Or is this done with the installation of pfSense? System -> Netgate Firmware Upgrade shows that this function is not available for this hardware.

@kevingoos said in IPSec tunnel is very slow between pfsense routers:

Netgate 7100, and a internet connection with 400Mbit down and 40Mbit up

before we move forward please clean up your pictures. You got your IP there and your PSK out there in the open. Redact that.

@vm_machina
It's explained in the pfSense docs: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/routed-vti.html

@keyser Works fine, thx :)

Set my wan vti tunnel MTU to 1500

@orangehand ok no problem. Glad it all worked out