Seems like a perfectly good use case for Tailscale

@viragomann Okay, I understand! Thanks for your help! In two weeks the connection will be implemented, then I'll get back to you on this.

@plep Yeah, it can be a bit confusing. PfSense by default attempts to “combine” the subnets in P2s into one. That causes issues just like described where your other P2’s are “extended” from only the remote subnet to 0.0.0.0/0. To avoid this you need to tick the “Split Connections” box on your P1 for the tunnel then it will create several independant P2’s like the other end.

@NdubYu I appreciate this is an old topic, but i have the same problem Were you able to resolve ? What was the issue ? Thank you

Just for information to everyone, the problem was solved by changing (on both sides, of course) from IKE v1 to IKE v2.

@aldomoro aha, so to restart dpinger helped me to get the VTI interface to the online status. https://redmine.pfsense.org/issues/12764 Zabbix issue will be another story

@viragomann said in site to site VPN between pfSense 2.7.0 and Cisco ASR1001-X (1NG): phase 2 not working: @getcom I guess, it is an unerring admin of a big company likewise it was in my case. a 150% admin...and yes a big company. I sent him the log extracts in April and told him that I thought the problem might be a typo in the profile. Of course, he didn't believe me. Then we had a long, detailed e-mail ping-pong until he understood that he needed to look more closely at his Cisco router...

@maverickws said in Issue with access to site connected to remote via IPSec: yeah that sorted it. I thought that by adding the network to the VPN settings it would automatically add it to the routing table, but it didn't in VTI with static routes, that is required. Glad that it sorted out.

@AdminTS said in Web interface no longer accessible: ... you imagine something like this? Not at all. Sorry, because : @AdminTS said in Web interface no longer accessible: Now we also set up a VPN connection on the other side, a physical firewall (Cisco Meraki). If we save the configuration data of the Cisco Meraki, access to the pfsense web interface is no longer possible. Only when we delete the configurations on the Cisco Meraki does everything work as usual again. I rephrase : When we activate the IPSEC connection, the connection (to the GUI) is lost. When you remove the IPSEC connection, the connection (to the GUI) works again Right ? Without the IPSEC, from where / how do you access the pfSense GUI ? Basically : tell us all about your IPSEC (and other) config, and we will tell you what is wrong ^^ (Btw : I'm more an OpenVPN user - didn't have to occasion to meet with IPSEC before )

@Gblenn Just tested it with /31 and it works. For route-based IPsec the gateway is created automatically when you assign the tunnel to an interface. I haven't tried with /32 tho. But I tried with larger subnet like /24. I guess it's like what you said, as long as they are on the same subnet it will work. Just that for point-to-point connection with a single transit network it doesn't make sense to use something larger that contains more than 2 IPs.

I do notice in 24.11, the LAN interface and LAN subnet are having a different link number: 192.168.6.0/24 link#21 U lagg0.4091 192.168.6.1 link#16 UHS lo0 You can see link#21 vs link#16. I don't have a 24.03 anymore, but on my other 22.05, the link numbers are same: 10.147.10.0/24 link#20 U lagg0.40 10.147.10.1 link#20 UHS lo0 Could this impact how ipsec policy does the route selection?

@viragomann Yes, I think so too.

Thanks for the anwser @keyser I checked here that the "Split connections" option just appear with IKEv2 only, in my case the IPsec configuration is working with IKEv1. So I will need to try this out of the company working hour. About creating IPsec tunnel from A to C, it has a few reasons, one is that the site B is the main core so we centralized all the configuration there, and to be honest my real scenario have more than 3 spokes so create a lot of new IPsec tunnels on site A will transform this firewall in a second core. Anyway, thanks for the help, I will read more about it and try enable this option to check if works.

The issue was related to the port 8080 rule on the Juniper device. After making the adjustment, access was granted, and everything worked perfectly. Thank you!