@jimp ive had an idea which i just tried. i made a subdomain for each phase 2 entry (4 in sum), so i connected 1 ipsec (phase 1) with the IP and added another 3 with different subdomains to the same ip and with the different phase 2 entrys. Seems to work. Looks pretty ugly but at least it works on 2.5.2.

ugly ipsec

Do you have Hardware crypto enabled?

I think I've maybe found the issue. I think his home ISP is blocking something. If he creates a wifi hotspot on his smartphone, his Window PC can then connect to our VPN!

@billyhart01 said in IPSec split tunneling:

What am I doing wrong?

If you tell us, what you did, maybe someone can answer this question.

@dylanw Hi, did you find a solution for this? Because even with the new 2.6.0 beta I experience the same issue. Still staying on 2.5.1 for that reason.

Thanks

Just ran into this ourselves...on this router back in late September I stopped pcscd but I didn't bother installing the patch since 21.09 was presumably imminent. Fast forward a few months and we're setting up IPSec, with pcscd long stopped. Diag/activity showed 88% idle at the top, yet had the lines for charon and syslogd and the idle/CPU entries were only a few percent. Starting pcscd dropped CPU use to normal. Patch + stop IPSec + stop pcscd + start IPSec fixed it.

Hello and thank you for your answer,

let me rephrase what i meant to say:

i have an older draytek 2920 router that i would like to use as a site to site router based on ipsec

in my home i have a pfsense box that already has a few openvpn servers running

instead of selling / throw the router draytek away i would like to use it is a Ipsec site to site router

with the draytek dialing out to my pfsense box...

can anybody help me with this? ipsec is new for me

Thnx in advance

@gregoire
This can only be done with BINAT in P2.
However, it either requires that the local network and the NAT network have equal subnet sizes or the the translation network is a single address.

Searching with right keywords, I found the solution for the routing issue :

https://docs.netgate.com/pfsense/en/latest/troubleshooting/ha-vpn-secondary.html

I created the Outbound NAT as explained in the link above, and now the backup node is accessible from my remote location.

@viragomann

I finally managed to do it by adding 10.10.10.0/24 to phase 2 at local and remote site.
I should have been more concrete in the initial problem description.
The problem was not, that I could not add a phase 2 entry at the remote site, but that there is another router behind the vpn remote gateway and the remote clients.
And it would have been impossible for me to add routes on this router.

Now I added 10.10.10.0/24 as phase 2 just to bring up the tunnel and force the kernel to route the traffic (DNS responses) over IPSec. In this configuration, native communication between 192.168.0.0/24 and 10.10.10.0/24 is still not possible, but port forwarding from 10.120.0.250>10.10.10.10 now works like a charm 👍

So it's more like a hack than a solution, but it's not stuppid als long as it works 😁

Thank you for your support and merry christmas! 🎄

@jcropsey-clearwave said in Opposite of BINAT:

Hey frined, I'm facing with the same problem for quite a while now, did you manage to somehow handle this case? I think I got a solution to that.

I spent several hours in trial and error with Routed IPsec (VTI) but finally ended up in using (NATed) openVPN config behind the partner IPSec tunnel.
The main issues I had was with a endpoint using dynamic IPs and the leck of knowlege how to use vti config if the other side uses P2 config without vti. It looks like pfsense is mixing up P2 phases when using 0.0.0.0 on the other side due to dynamic IPs. Ubiquity (on one partner side) is not supporting dynamic IPs at all when using VTI.

@restrictedr Routed IPsec (VTI) may work in your scenario but I had a hard time and ended up in using openvpn. The restrictions and/or best practices are not well documented and additonally will not work if you have endpoints using dynamic IPs

Custom script + cron do the job.

When we I have a time will summarize and will provide more info for the script