Upgrade to a more recent supported release. That was fixed a long time ago.

I want to make tunneel between pfsense and vps,
I have no idea how to do that.
Kindly help

@ivan0 Any support about the request above?

Hello Team,

Can you please help us on above issue?

Thank You

We've enountered a lot of Issues with VPN on iOS devices.

A core-point is Apple's DNS-Privacy: When connected to a wifi, apple by default is ignoring the assigned dns servers (and therefore any dns assigned by the tunnel) and instead is using the apple cloud dns, "to protect your privacy" (at least that's the reason they claim)

You can set the dns-server for a particular wifi to manual to resolve this. Just becomes very unhandy, if you have hundrets of clients dealing with that "feature".

Your observation about the IPV6 / IPV4 difference might be the problem:

Your iPhones provider is using IPV6, and your ipv4-connection is then only an ipv4 over ipv6 tunnel (In our country referred to as "Dual-Stack-Lite / DS-Lite").

Here you'll have limits on the usable ports - depending on the provider. He might have decided, that a common user needs to use port 80 and 443, therefore created the proper rules for that, but everything else well not be forwarded.

(Your Phone would be the router here, IPV4 only over nat'd IPV6)
8ac39221-c653-4377-8ab2-11c2e88ca251-image.png

Your best option here would be to make your vpn-server ipv6 capable , OR (that's what we did): Use Port 143 - that's IMAPS - nobody is using imap nowadays, but that port is most likely served by your isp.

@paul1923 Freeradius and framed-ip addresses will enable you to do this per user.

https://forum.netgate.com/topic/115795/guide-ikev2-ipsec-per-user-firewall-rule-settings-with-freeradius

@ofloo Thanks. couple of small points:

your shebang is for bash -- did you install bash on your firewall? (pfSense does not come with bash) you could use pkill -F /var/run/charon.pid which is more concise and doesn't need the cat wouldn't you need to tail -n10 etc to be sure you weren't just reading the same "trap not found" message over and over in a loop? you don't need the extra if-test and pipe to wc, you can test the result code from grep directly

maybe something like this would work? (I have not tested this)

#!/bin/sh if tail -n10 /var/log/ipsec.log | /usr/bin/grep -q "trap not found, unable to acquire reqid"; then pkill -9 -F cat /var/run/charon.pid echo "Executed Charon kill script, IPsec seems locked up" fi exit 0

Just did another test:

While beeing in this stituation:

failback on the lan-carp-ip happened to node1 node2 has the IPSec still established

I can continue using the tunnel, if I manually change my gateway from the lan-carp-ip to the second nodes ip address.

So, overall the master node does not reestablish a connection, because the connection is healty - but it is just no longer accessible for lan-clients.

However, the roles themself claimed that fallBACK also has happened for the wan-carp-ip, so it might be an issue on the wan site, where packages of the tunnel communication are still send to the backup-node, even if it does no longe own the wan-carp-ip. This leads to the clusters assumption that the tunnel is healty and no reconnect is required.

But beyond that observation, I could only start to guess, because I'm not familiar to how the whole carp thing works. If it uses MAC-spoofing, there shouldn't be any missrouted packages. If both of the nodes use an own mac-address with the wan-carp-ip it might be the routers mac-address-table / cache that keeps sending packages to the MAC of the backup-role, keeping that tunnel alive and "healthy", which finally surpresses the reconnect of the master role, that would be the one that is accessible by the lan-carp-ip.

Figured it out thx to a post in the UTM-Forums that is ... ehm... 5 years old :)

The Sophos has an Issue with AES 256 along with SHA 256. Dropping to SHA-1 and it starts to work out of a sudden.

(Not to mention it does not support IKEv2)

We'll, we are looking for a new Appliance on the HQ-Side anyway, so i'm now going to look deeper into pfSense 😜

https://community.sophos.com/sophos-xg-firewall/f/discussions/89213/ipsec-vpn-with-utm-not-passing-traffic?ReplyFilter=Answers&ReplySortBy=Answers&ReplySortOrder=Descending

It appears Bug #13074 ( https://redmine.pfsense.org/issues/13074 ) has been created for this.

@pelikanruban This.
If you had a pcap going at the same time there's no evidence the pings ever came through.

What is the "other" platform? Have they shared their config file with you so you can verify your settings match theirs?

@phlmike you can probably add each PC with a /32, which might 'read' more elegantly than the two /29.

I'm also wondering if the Alias you have already created could be utilised in the phase 2 declaration for this purpose. Never tried it.

You can disregard this post

This was an issue where the WAN ip address had a 223 in the WAN ip address and I put in a 233. My brain missed it again until a coworker took notice

@timboau-0 Thank you. I tried 2.5.2, and the same result just showed connecting on the same two connections that I was initially having issues with. I will mess with this more after hours and try rebuilding the P1 and P2 from scratch to see if that helps unless someone has any other suggestions.