@scorpoin Try to change the LAN rule to "any any" to include icmp in your rule. Ping is icmp.

up

just to reply to my own question: I exported the wrong certificate. I had to download the end-entity certs, which are auto generated, during the Site-to-Site VPN. Once I exported the the correct one, established the tunnel.

-San

@mamawe
Yeah the logs haven't been super helpful, without any traffic flowing there's really not much to look at. These 10 connections on the pfsense machine aren't currently active, we had to switch back to our old VPN server after we tried and failed to get traffic moving out of the tunnel.

@bp81
I would also recommend going with VTI mode as @dotdash proposed.

You can then use gateway groups for the routing and avoid the routing process.

@byte0 said in DNS Resolver forward over IPSEC site-to-site VPN:

All is well.

Yup, it's best to be the master of your system, pfSense does not invent new things, it just implements what we already knew.... 😉

Thanks for your follow up

@ar-thomas VTI IPSec is different that a policy IPSec connection. You aren’t making policies for networks rather you are merely creating a gateway over which you can route specific traffic based on static routes and policy based routing. There was a very helpful hangout that was done on VTI IPSec righty after it was included in pfsense. I’ve referred to it a few times over the years myself. It can be found at:

https://www.slideshare.net/NetgateUSA/routed-ipsec-on-pfsense-244-pfsense-hangout-june-2018

As the hangout and the pfsense documentation indicate, you need to be very sure that the settings, Ike type (should be 2), encryption and hash, etc, are exactly the same in both the 7100 and 5100.

Try setting things up from scratch after reviewing the slides and, if you still have issues, please post screenshots of your P1, P2, gateway and static routes for both sides.

Also, any reason you haven’t updated the 7100 to 21.05?

Hi team, for update:

I just change the Encryption method on both site and now the Pfsense Generate new log:

J Jun 18 16:32:19 charon 11[CFG] constraint requires public key authentication, but pre-shared key was used Jun 18 16:32:19 charon 11[CFG] <bypasslan|1812639> constraint requires public key authentication, but pre-shared key was used Jun 18 16:32:19 charon 11[CFG] selected peer config 'bypasslan' unacceptable: non-matching authentication done Jun 18 16:32:19 charon 11[CFG] <bypasslan|1812639> selected peer config 'bypasslan' unacceptable: non-matching authentication done

Both site configure to use PSk and based on the log it authentication ok but also some other log require Public key authentication. Not sure what it is. Please help advices

@yazur Solution:
PFSENSE OVH: https://nsa40.casimages.com/img/2021/06/16/210616052718680814.png
PFSENSE GDD: https://nsa40.casimages.com/img/2021/06/16/210616052659440990.png

Added IPsec to watchdog

#!/usr/bin/env bash if [ $(tail /var/log/ipsec.log | /usr/bin/grep "trap not found, unable to acquire reqid" | /usr/bin/wc -l) -gt "0" ]; then kill -9 $(cat /var/run/charon.pid) echo "Executed Charon kill script, IPsec seems locked up" fi