I had this problem also after setting up the same config, rebooting pfsense corrected this, restarting ipsec may work also. i think it needed a restart to re-read son configs.

@betahelix So now there's an OpenVPN tunnel too? Can you show the actually topology of both sites? When I have VPN issues I always use the Packet Capture under Diagnostics menu. Try that on the 2100 while pinging from the WireGuard clients.

@michmoor said in IPSEC - Packets do not enter tunnel: @manzanoso correction you dont need a static route per se. what is the status of the tunnel? Status > IPsec [image: 1657216020303-1864035e-d178-4cef-844d-ccf752656278-image.png] What I could identify is that when the notebook is on the 192.168.150 network, I can transfer packets on the VPN, however, when the notebook is on the 172.23.0 network it does not work. I'm using a nat for output which is what is needed for the other end of the VPN. [image: 1657215918309-06400ac3-3060-49a2-a600-a536a339d54c-image.png]

@bingo600 Excellent, thank you. The remote server now sees the domain controller on the other side of the IPSEC VPN. [image: 1657204074087-pfsense.jpg]

@mrv0 said in Mobile clients have no access to other site: Site-to-site at Site A: (The tunnel is disabled in the image because I am having this problem) But this P2 is needed to connect the remote network with the mobile clients. Also you need an additional P2 at B with the LAN as local and the A sites mobile pool as remote network.

Hi guys, First of all, sorry for my own self reply and thank you for your responses... I'm just very frustated. I've been creating VPNs to Oracle for some years now (even with pfSense Tunnel and VTI with other softwares) but pfSense VTI has never been an option for some reasons. This time I wanted to give a try. I have just undone everything and just given up pfSense. Firstly I went back to the usual Tunnel IPSEC that works as expected. No modifications are needed to make it work on Oracle's side so the problem might/may/must be related to pfSense. If you guys had some links to post here I'll read them all to try to find out what I've done wrong. I followed this guide https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/routed-vti.html and another thousand recipes available on the net. Not even the gateway monitoring works !!!! What on earth could be impeding the gateway monitor to work ?? I know many of you have this setup working but as far as I could find there are a lot of complaints like mine. I must be having a bad week, even posting to this forum is really hard.... akismet keeps telling my post is a SPAM :\ lost good 60 minutes trying to post.... I was trying to ask about the gateway monitoring thing. I have just given up. As you've said, this is a community forum and I should really no wait so much of it although it has already helped me lots of time (thanks guys). When I get my patience back I will try again. Thanks you, Marcus

@jimp Thank you for your clarification. You saved me time on testing this. I guess I have to try a more difficult way. @luckman212 I found the same tutorial, it looks like it describes pretty much the steps we need to go through to set up dual-wan.

@unsichtbarre Install the iperf package at both ends. Use that to determine what your baseline end to end speed really is. Now run it over your ipsec tunnel. If there is a substantial difference then that needs looking into.

@derelict said in IPSec local network subnet size and NAT size error: @mamawe As far as I know that type of NAT has never been valid on an IPsec tunnel. You can do 1:1 or Many:1 but not Many:Some_Other_Size_Many. Maybe it wasn't clear from my answer. I used Many:1-NAT and 1 address for our side of the VPN traffic selector. The last two sentences referred to the peer VPN gateway. Some implementations allow to negotiate a smaller traffic selector in phase 2 as was configured (1 address instead of a subnet). With these you don't have to change anything at the peer VPN gateway. If the peer VPN gateway insists on using the correct traffic selector, you have to have the peer VPN configuration changed.

@betahelix Possibly What does the ASUS documentation say about S2S? What configuration attempts have you done? What do the logs show when you try it?

Figured it out. I had to create a firewall rule on the Netgate to allow traffic from the TPLink LAN Network exclusively. I had thought using the "LAN net" as the source would suffice, guess not.

@frika Issue with ipsec routing Maybe you can tell us some more details about your IPSec connection? Which machines are these? Both pfSense? Routed IPSec or traditional phase 2? What shows Status > IPSec? Show the config.

@frika issue resolved. In order for the outside routed to gain access I had to extend the subnet of the Ubuntu server-2 (ubuntu server-2 and mikrotik have to be within the same range/subnet).

@gassyantelope Our issues was on any add or change to an IPSEC configuration. The Status, IPSEC page was very slow as well, up to a minute to load. Now loads in <1 sec. 2.6.0 definitely fixed all our IPSEC setup and modify 504 errors.

@jok said in IPSec tunnel ping initialization: Hello. I have set up a tunnel between two sites. The tunnel establishes connection perfectly. But I obtain a strange behaviour: If I ping from a PC1 from site A to a PC2 in site B, the ping not respond. If I ping inmediatly from the PC2 from site B to the PC1 in site A, both pings start working. The same with all the computers. Some ideas? Thanks! Hi! What rules? I have the same exact problem