Hi,

I have the same problem.
LDAP works. An LDAP user can logging in to the web interface.
Diagnostics / Authentication also works.
When a local user (EAP Keys) logging in to Ipsec VPN, everything works.
I have the same errors when logging in to an LDAP user.

16 [IKE] <con-mobile | 60> no EAP key found for hosts '000.000.000.000' - 'ldap_user'
16 [IKE] <con-mobile | 60> EAP-MS-CHAPv2 verification failed, retry (2)

Thank you

@nocling I tried Ipsec using IPV6 and had pretty weird errors (This was with a starlink service so it does drop more than you would like) - essentially it wasn't stable as an ipsec tunnel (this was using 2.5) - switched over to WireGuard and its been working really well - just doesnt seem to be 100% support from netgate yet so reluctant to replace all ipsec with WireGuard.

I've been informed, "If you have XMLRPC sync the VIPs that would work as the IDs would match on both. VIPs have to be tracked by ID, not IP address. Thus you have an unsupported configuration if you are managing the VIPs by hand but expecting other areas of the configuration to sync via XMLRPC."

It's been years since it was set up, but if I go back I do see "Virtual IPs" is unchecked in the HA sync settings. I had to dig into deep areas of my brain but looking at the config, I think it's because we have one IP alias that isn't on the WAN or LAN CARP ranges and that needed to be different on the two, so the VIPs couldn't be synced. I didn't play with that though.

What I did was edit the <uniqid>xxxx</uniqid>values in the backup router to match those on the primary router, and restore. That seems to have resolved this error message.

In version 2.5.2 if you let apply the changes

@pfsenseuser1 What does the IPSEC dashboard widget display?
Also check in:
http://{IPADDRESS}/status_logs.php?logfile=ipsec

in setting you can reverse the order so recent is at the top.

@yguerchet The topic is old, but i solved it. By enabling "split connection"

Re: IPSEC tunnel can access any Interface but LAN

After spending hours in experimenting I found the issue is different, probably will open a new thread in correct section and correct details

Hi,

I install Iperf3 and run a test from Local PC to
Local pfSense. 940ish in both directions.
If you will be able to set up iperf on pc 1 behind pfsense 1
and pc 2 behind pfsnese 2 and do an iperf test again it would
more realistic and based on the entire money you spend it
might be nice to hear what comes out.

Being sure with this hardware setup like yours you may often connect two branches or companies to gain the entire throughput for workload and/or file transfer like syncing and / or db data exchange.

Recently one of my VPN's that had been running at
250-300mbps dropped to 20mbps.
By the way from what should it breaking in? Perhaps based on the other vpn end and not on your site?

@jimp said in Virtual Address Pool in Pre-Shared Keys is not used for ipsec:

It works right now if the client sends the correct identifier in P1, but the problem is that Windows doesn't. Other clients like those on Linux or the strongSwan app send the correct ID and can use per-user addresses right now.

There is a patch in the Redmine issue linked above that has shown promise with Windows clients but isn't a complete solution.

Jimp, if you could get that patch to work - and thereby enable windows native clients to use PSK defined pool addresses - would be REALLY nice!!

Any chance you could spend a little time to get the IPSec Daemon to accept a virtual address pool returned from Radius in a EAP-Radius setup? That would be the ultimate solution to get pfSense IPSec VPN go Enterprise. Right now its useless because it doesn’t scale and you cant separate user rights with firewall rules.

@cmos_battery in case you are still experiencing this it would likely be caused by having multiple similar P2 transforms selected.

Just found the answer

The solution was to create another routing table on the 10.4.0.0/24 subnet.

Both the below rules were needed on both subnets

172.30.0.0 /16 - next hope VA IP 10.4.1.4.

Hindsight is a wonderfull thing.

Wenn du an der Arbeit anderer Agenturen zweifelst, dann verlass dich auf dein Bauchgefühl. In der Regel hat die Intuition immer Recht. Die Suche hat in unserer Firma auch eher länger gedauert, dass muss ich zugeben. Am Ende haben wir uns für die Webagentur https://treestones.ch/agentur entschieden. Seitdem ist das Thema endlich vom Tisch. Die machen einen super Job und wir können uns auf die anderen Dinge konzentrieren. Im Moment gehen ja die Preise unglaublich in die Höhle, wenn es um Sprit geht. Wir müssen unbedingt eine Strategie für unsere Firmenwagen entwerfen.

@macormick

I also have a caching Problem here:
openvpn-external-crl-automatic-renewing-openvpn-restart