@dalicollins I am just trying to ping both ways. I can ping from the Windows client to Pfsense box, but not from the LAN on the Pfsense box to the Client. The client is on a its own dynamic IP network with a small router. The router has IPsec passthrough enabled. I added the following IPsec rule and Phase 2 Tunnel [image: 1676133558610-vpn9.jpg] [image: 1676133565491-vpn10.jpg]

@dalicollins pfSense can handle all this pretty well. It gives you full control which traffic to route out to which gateway. You can determine this by source IP or / and ports or destination IP or or / and ports or both. Just a few firewall rules on a single place. And the nicest part, it can failover the upstream traffic to the other WAN in case of a dropout of the primary connection. Also it's possible to load balance all upstream traffic permanently. I can't see any reason for running an additional router for VPN only.

UPDATE: Possibly one more clue to the puzzle. Looking at the status page of the local side when trying to connect, this is what I end up seeing: [image: 1675697336237-local_ipsec_status_page_connecting-resized.jpg] There ends up being 2(!) connections which show up. The only difference appears to be the "NAT-T" behind the host on the generated connection. I'm guessing that's because it's detecting a NAT at the remote end? Possibly the ISP using NAT and screwing up the communication between both points (thus causing decryption to fail)?

Unfortunately I don't have access to Cisco.

@nocling I have not activated MOBIKE. From my point of view, this is not necessary for a site-to-site VPN connection. Here are my P1 Settings: [image: 1675001408319-screenshot-2023-01-29-150303-resized.png] Here are my Advanced IPsec Settings: [image: 1675001353572-screenshot-2023-01-29-150111.png] I also activated Asynchronous Cryptography, but I didn't see any advantages during testing, so I deactivated it again. I am at a loss and do not know if the problem is due to the pfSense settings. With the Netgate 1537, do drivers for the hardware also have to be updated in addition to the pfSense? Or is this done with the installation of pfSense? System -> Netgate Firmware Upgrade shows that this function is not available for this hardware.

@kevingoos said in IPSec tunnel is very slow between pfsense routers: Netgate 7100, and a internet connection with 400Mbit down and 40Mbit up before we move forward please clean up your pictures. You got your IP there and your PSK out there in the open. Redact that.

@vm_machina It's explained in the pfSense docs: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/routed-vti.html

@keyser Works fine, thx :)

Set my wan vti tunnel MTU to 1500

@orangehand ok no problem. Glad it all worked out

@rebelscum What happens if you search those same IPsec logs but for the remote IP?

@bingo600 said in <Solved> - IPsec IkeV2 Cisco ASA will ony activate first P2 SA: But why did the first P2 activate without that command ??? Is there some default/special handling of the first P2 ? Yes, there is. When connecting, the first P2 SA entry uses DH information from the parent P1, and not its own PFS value. This isn't specific to pfSense, it's part of how IPsec operates. It will use the P2 PFS value for the additional P2 entries and also when rekeying, so it may have failed to stay established over time as well. You'll see this sometimes on the IPsec status when a tunnel connects first and it doesn't show the PFS value in the P2 status for the first configured P2 initially, but it will after a while when the tunnel rekeys.

@viragomann I'll just continue on from here. I'm not following your comments really. His UDM is managing VLANs and networks for his clients. I need a connection to his UDM to get my VPN and network routed to and from his UDM. The VPN is to get to discrete networks in two geographically dispersed locations to communicate directly. I have no idea how else it would be done. Appreciate everyone's input. Although I'd still be interested to know if pfSense can handle a hair-pin situation with VPN or if it really needs to cross interfaces to operate at all.

@kastenfrosch-48 Still not really clear, what you intend to achieve. Unfortunately, this is the very same network those hosts are also residing in. I want to initiate the IPsec-Tunnel from an IP inside this subnet. You want to initiate an IP from one of these remote machines to your pfSense and access the ohter remote network devices through it?

@ppcm are we testing with SMB? What’s the latency for each site?

As it seems this feature is not supported for IKEv2.