@gabacho4 Ended up getting support on the case. Ended up being a couple different things. I had a second adapter for testing on my host machine in the same subnet as the VPN which caused some issues. It also appeared to be some firewall rules on their end. I still can't ping them but the devices are talking back to controllers so they must just be blocking icmp

@mamawe

Capture wireshark realized on the Lan pfsense OVH :

https://www.partage-temporaire.fr/2021/06/15/wiresharklanpfsenseovh/

In this capture you can see me browsing through some folders and then starting the transfer of a file named 1GB.bin at line 937.
But the navigation is already very slow so I think what you are looking for is before the first communication between the two clients so it will be more in the first lines with the MTU size exchange.

Unsure if you're using IPSEC or not so this may be irrelevant, but have you attempted manually setting gateway 'always up'?
https://forum.netgate.com/topic/164248/ipsec-site-to-site-won-t-pass-traffic-since-21-05/5

If that doesn't help I'd make sure there are no traffic shaping rules in place, as those have been extremely buggy lately.

This seems to be a duplicate of

https://forum.netgate.com/topic/119105/mobile-ipsec-vpn-client-s-traffic-doesn-t-work-with-transparent-squid-ssl-proxy?_=1623401865027

I decided to ask it again as its been nearly 4 years without an answer.

The solution, although perhaps not ideal as its not automatic - is to supply the details of the proxy when making the connection to the VPN

@jegr the new strongswan/pfsense version, in case of cert ipsec vpn, will look for a private key that corresponds exactly to the identifier

previouly this check wasn't done, in the previous version you can choose also the ip as identifier although it was not "stated" as CN or SAN in the cert used for authentication

Mystery solved. It was an intentional change.
See https://redmine.pfsense.org/issues/11296

@mamawe the guides I used to set up the firewall and the windows client were both from the netgate website. This other guide I’m using was based on what you said to try and troubleshoot this issue. My phone connects just fine to the firewall. My laptop does not.

I confirmed the issue was on the UDM side. Looks like a bug. You need to add a static route on the UDM using the CLI. The static route GUI doesn't actually add the route to the routing table.

Just to close the loop on this, this issue is resolved in 21.05/2.5.2.

I just finished setting the Crypto device back to AES-NI and BSD Crypto Device (aesni,cryptodev) on my SG-5100. Rebooted to load crypto device change, and happy to report that my IPSEC connections using SHA256 hashing are stable.

-LamaZ

I was able to resolve my problem with the help of a post: mobile ipsec clients cannot see site to site ipsec lan

After getting one side to work, I had difficulty get the other side to work (I have remote access on both sides, so I wanted similar functionality in either direction).

It turns out that you end up with 2 additional P1 connections and 2 P2 connections.

I basically had to customize the labels and ip addresses in the article for either direction and them implement them. I just kept getting turned around and that was basically the only way I got it to work. Created to installation sheets for the Work FW and the Home FW.

@viniciusmerlim I just upgraded to the new 21.05 release tonight and it seems to have resolved my issues. I re-enabled the AES-NI with no changes to my IPSec configuration on either end. The hardware crypto has been turned back on and my IPSec tunnel is back to working properly with optimal speeds (no latency or speed issues noticed).

Hopefully that resolves your issue too. I didn't check the changelogs to see if the specifically mentioned this in there, but it definitely fixed the problem for me.

Thanks for the heads up on the update @NOCling

Just got the upgrade in and reconfigured the AES-NI and everything seems to be working again. The AES-NI is confirmed to be back on and my IPSec tunnles are working at optimum speeds again. Seems to be fixed for my purposes anyway.

Hope it resolves any issues for everyone else!

@michaelblly

Thank you for the feedback.

i also added now new section in phase 2
2777d4e1-b2d3-4274-9c5d-f186f446ff5b-image.png
And my adroid phone can reach the server in pfsense lan. But my windows client still can't do it.

few minutes ago, i have connected again on windows client.
and i can ping the pfsense lan interface (192.168.26.1) and server (192.168.26.10)
but it can't ping internet still.

PS C:\Users\Greg-Admin> ping 192.168.26.10 Pinging 192.168.26.10 with 32 bytes of data: Reply from 192.168.26.10: bytes=32 time=1ms TTL=127 Reply from 192.168.26.10: bytes=32 time=1ms TTL=127 Ping statistics for 192.168.26.10: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms Control-C PS C:\Users\Greg-Admin> ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data: Reply from 192.168.1.1: bytes=32 time<1ms TTL=64 Ping statistics for 192.168.1.1: Packets: Sent = 1, Received = 1, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Control-C PS C:\Users\Greg-Admin> ping 8.8.8.8 Pinging 8.8.8.8 with 32 bytes of data: Control-C

If i will enable split tunnel
Get-VpnConnection -Name 'VPN2HOME' |Set-VpnConnection -SplitTunneling:$true

then my windows client, at least can reach internet again , but if i understand correctly, this means that the internet part is not getting via vpn ,but using my normal connection.

The moment the other tunnel came up (we have 2 in that firewall) the widget began to show the correct information. But not while only one of them was active.