@daboomer without knowing how much data, the type of CPU, internet connection, other side CPU, internet connection, consistency of data, etc... The only thing we can say is it will increase CPU load. I consistently push 25Mbps to a datacenter over fiber about 6 miles away... but adding more P2s doesn't change my throughput at all on my 5100 on 1GbE

@rodfcabral same here - been met with silence from pfsense

@viragomann I'm going to test, if there was an working ipsec client to client in the mikrotik, is that seems a good initiatives. thanks a lot

@fifty_bellies You can do this by entering the desired translation network in the phase 2 at "NAT/BINAT translation". However, consider that on the remote site you have also to replace the remote network with the NAT network.

@jimp Thanks for your input! I just activated this option and see if it resolves the issue. Is it best to activate it only on the initiating pfsense or on both sites?

Well according to this documentation NHRP via FRR is not available for FreeBSD. http://docs.frrouting.org/en/latest/overview.html#feature-matrix

Can anyone shed some light on this?

I'm experiencing exactly the same issue

@thatsysadmin said in IPsec VTI does not pass traffic on 2.6.0: But why would having one of the phase 2s disabled break the whole thing though; shouldn't it be disregarded if it was disabled? It could probably handle that better, but it's not a valid combination to have a mix of tunnel and VTI even if some are disabled. They should all be the same type, and really there should be at most one VTI P2 per address family (so one IPv4, one IPv6). I'm not sure if we have validation which actively checks for and prevents that yet, though.

It was a problem of sharing multiple destination networks in one child configuration (at pfSense side). Activation of 'Split connections' option seems to solve my problem. As I manage manually the configuration files at server side, it is more simple for me to have separate children (one child per network). Thanks for the assistance!

I added/changed it to AES/SHA256/DH14 in my router and client settings and rekey works! Way better than SHA1/DH2. I can live with this..

Hi there @lmendoza Godaddy https://sysadms.de/2018/09/godaddy-api-fuer-dynamischen-dns-eintrag-unter-pfsense-einrichten/ And you can get valid wildcard certificates (LE) with godaddy's dns api https://sysadms.de/2019/03/lets-encrypt-zertifikate-unter-pfsense-dns-godaddy/ Dynu.com (also you can get valid wildcard certificates (LE) with dynu dns api) https://www.dynu.com/DynamicDNS/IPUpdateClient/PFSense https://www.dynu.com/en-US/Forum/ViewTopic/How-to-create-subdomain/7065 https://community.letsencrypt.org/t/failed-authorization-procedure-the-server-could-not-connect-to-the-client-to-verify-the-domain/60656/4

This eventually got fixed over here: https://forum.netgate.com/topic/162012/pfsense-release-2-5-openvpn-2-5-broken-any-fixes/74?_=1644012845727