@rodfcabral same here - been met with silence from pfsense

@viragomann I'm going to test, if there was an working ipsec client to client in the mikrotik, is that seems a good initiatives. thanks a lot

@fifty_bellies You can do this by entering the desired translation network in the phase 2 at "NAT/BINAT translation". However, consider that on the remote site you have also to replace the remote network with the NAT network.

@jimp Thanks for your input! I just activated this option and see if it resolves the issue. Is it best to activate it only on the initiating pfsense or on both sites?

Well according to this documentation NHRP via FRR is not available for FreeBSD. http://docs.frrouting.org/en/latest/overview.html#feature-matrix

Can anyone shed some light on this?

I'm experiencing exactly the same issue

@thatsysadmin said in IPsec VTI does not pass traffic on 2.6.0: But why would having one of the phase 2s disabled break the whole thing though; shouldn't it be disregarded if it was disabled? It could probably handle that better, but it's not a valid combination to have a mix of tunnel and VTI even if some are disabled. They should all be the same type, and really there should be at most one VTI P2 per address family (so one IPv4, one IPv6). I'm not sure if we have validation which actively checks for and prevents that yet, though.

It was a problem of sharing multiple destination networks in one child configuration (at pfSense side). Activation of 'Split connections' option seems to solve my problem. As I manage manually the configuration files at server side, it is more simple for me to have separate children (one child per network). Thanks for the assistance!

I added/changed it to AES/SHA256/DH14 in my router and client settings and rekey works! Way better than SHA1/DH2. I can live with this..

Hi there @lmendoza Godaddy https://sysadms.de/2018/09/godaddy-api-fuer-dynamischen-dns-eintrag-unter-pfsense-einrichten/ And you can get valid wildcard certificates (LE) with godaddy's dns api https://sysadms.de/2019/03/lets-encrypt-zertifikate-unter-pfsense-dns-godaddy/ Dynu.com (also you can get valid wildcard certificates (LE) with dynu dns api) https://www.dynu.com/DynamicDNS/IPUpdateClient/PFSense https://www.dynu.com/en-US/Forum/ViewTopic/How-to-create-subdomain/7065 https://community.letsencrypt.org/t/failed-authorization-procedure-the-server-could-not-connect-to-the-client-to-verify-the-domain/60656/4

This eventually got fixed over here: https://forum.netgate.com/topic/162012/pfsense-release-2-5-openvpn-2-5-broken-any-fixes/74?_=1644012845727

From that screenshot it appears you have disabled both rekey and reauthentication. So when the P1 expires (at most every 8 hours, likely about 1/2 to 2/3 that time) it can't renegotiate a new P1. The exact method to solve this depends on the tunnel configuration and what the other side supports. Generally speaking, however, you should have a positive value in either rekey or reauth time. See the recommendations for values here for a good guide: https://docs.netgate.com/pfsense/en/latest/troubleshooting/ipsec-duplicate-sa.html

update 1 manually added rules for IPv6: isakmp, sae-urn, esp. now it works. but I guess this is still a bug