Unfortunately I don't have access to Cisco.

@nocling I have not activated MOBIKE. From my point of view, this is not necessary for a site-to-site VPN connection. Here are my P1 Settings: [image: 1675001408319-screenshot-2023-01-29-150303-resized.png] Here are my Advanced IPsec Settings: [image: 1675001353572-screenshot-2023-01-29-150111.png] I also activated Asynchronous Cryptography, but I didn't see any advantages during testing, so I deactivated it again. I am at a loss and do not know if the problem is due to the pfSense settings. With the Netgate 1537, do drivers for the hardware also have to be updated in addition to the pfSense? Or is this done with the installation of pfSense? System -> Netgate Firmware Upgrade shows that this function is not available for this hardware.

@kevingoos said in IPSec tunnel is very slow between pfsense routers: Netgate 7100, and a internet connection with 400Mbit down and 40Mbit up before we move forward please clean up your pictures. You got your IP there and your PSK out there in the open. Redact that.

@vm_machina It's explained in the pfSense docs: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/routed-vti.html

@keyser Works fine, thx :)

Set my wan vti tunnel MTU to 1500

@orangehand ok no problem. Glad it all worked out

@rebelscum What happens if you search those same IPsec logs but for the remote IP?

@bingo600 said in <Solved> - IPsec IkeV2 Cisco ASA will ony activate first P2 SA: But why did the first P2 activate without that command ??? Is there some default/special handling of the first P2 ? Yes, there is. When connecting, the first P2 SA entry uses DH information from the parent P1, and not its own PFS value. This isn't specific to pfSense, it's part of how IPsec operates. It will use the P2 PFS value for the additional P2 entries and also when rekeying, so it may have failed to stay established over time as well. You'll see this sometimes on the IPsec status when a tunnel connects first and it doesn't show the PFS value in the P2 status for the first configured P2 initially, but it will after a while when the tunnel rekeys.

@viragomann I'll just continue on from here. I'm not following your comments really. His UDM is managing VLANs and networks for his clients. I need a connection to his UDM to get my VPN and network routed to and from his UDM. The VPN is to get to discrete networks in two geographically dispersed locations to communicate directly. I have no idea how else it would be done. Appreciate everyone's input. Although I'd still be interested to know if pfSense can handle a hair-pin situation with VPN or if it really needs to cross interfaces to operate at all.

@kastenfrosch-48 Still not really clear, what you intend to achieve. Unfortunately, this is the very same network those hosts are also residing in. I want to initiate the IPsec-Tunnel from an IP inside this subnet. You want to initiate an IP from one of these remote machines to your pfSense and access the ohter remote network devices through it?

@ppcm are we testing with SMB? What’s the latency for each site?

As it seems this feature is not supported for IKEv2.

@f-giraud said in problem reaching Public IP endpoint of IPSEC with dual WAN: Do you policy route the LAN out to WAN B? I wanted to request for WAN A. But the traffic also goes out on A if its the default gateway, of course. Is there an outbound NAT rule in place for the LAN subnet on B? (NO !!) So I would simply add an outbound NAT rule for the source of LAN subnet to WAN B. Otherwise, I think, policy routing the traffic to WAN A should work as well.

@jimp Thank's for your time! Unfortunately, I don't have the experience to discuss VTI in depth. I am grateful for the observation. However I managed to get my gateway rule working when I set a destination. And to point to the world I use something like "!127.0.0.1". After that the rule started to obey and my LAN started to go out through the gateway described in the rule. However I'm afraid of the way this is configured, I don't know the impact of this for future cases. My only limitation now is my partner's sonicwall firewall that when he selects Tunnel Interface (VTI) he cannot define "Local Subnet" and "Remote Subnet". It's like it only accepts 0/0 for 0/0. I did another test that was to configure phase2 with a different "Remote Subnet" with any network that doesn't even exist for us, without changing the sonicwall side and phase2 connects. So it seems that sonicwall's behavior when as a tunnel interface is to accept whatever network I configure on my side. Of course, for it to work I must configure the right networks, but this explanation is just for information purposes. Ahh, and I realized that because before I tried to connect several phases2, one for each network and only one worked. So I did the test above and it worked. What I'm going to do now is create, together with my partner on sonicwall, several phase2s, one for each network I need to connect, and then try to redo all the phase2s I need by correctly defining the destination networks I need. I hope it works out like this. Thanks a lot for your help once again.

@jimp understood. Happy New Year Jim!

@viragomann - the packet sniffing and increasing the log detail for ipsec did the trick - two issues: I had a couple of machines with no gateway defined. This was not an issue for local traffic but creates an issue for the traffic back to the IPSec devices. In all of the testing I had left the Phase 2 local subnet set to just one of the networks. Changing to Network 0.0.0.0/0 did the trick. Thanks for the pointers.