@ar-thomas VTI IPSec is different that a policy IPSec connection. You aren’t making policies for networks rather you are merely creating a gateway over which you can route specific traffic based on static routes and policy based routing. There was a very helpful hangout that was done on VTI IPSec righty after it was included in pfsense. I’ve referred to it a few times over the years myself. It can be found at: https://www.slideshare.net/NetgateUSA/routed-ipsec-on-pfsense-244-pfsense-hangout-june-2018 As the hangout and the pfsense documentation indicate, you need to be very sure that the settings, Ike type (should be 2), encryption and hash, etc, are exactly the same in both the 7100 and 5100. Try setting things up from scratch after reviewing the slides and, if you still have issues, please post screenshots of your P1, P2, gateway and static routes for both sides. Also, any reason you haven’t updated the 7100 to 21.05?

Hi team, for update: I just change the Encryption method on both site and now the Pfsense Generate new log: J Jun 18 16:32:19 charon 11[CFG] constraint requires public key authentication, but pre-shared key was used Jun 18 16:32:19 charon 11[CFG] <bypasslan|1812639> constraint requires public key authentication, but pre-shared key was used Jun 18 16:32:19 charon 11[CFG] selected peer config 'bypasslan' unacceptable: non-matching authentication done Jun 18 16:32:19 charon 11[CFG] <bypasslan|1812639> selected peer config 'bypasslan' unacceptable: non-matching authentication done Both site configure to use PSk and based on the log it authentication ok but also some other log require Public key authentication. Not sure what it is. Please help advices

@yazur Solution: PFSENSE OVH: https://nsa40.casimages.com/img/2021/06/16/210616052718680814.png PFSENSE GDD: https://nsa40.casimages.com/img/2021/06/16/210616052659440990.png

Added IPsec to watchdog #!/usr/bin/env bash if [ $(tail /var/log/ipsec.log | /usr/bin/grep "trap not found, unable to acquire reqid" | /usr/bin/wc -l) -gt "0" ]; then kill -9 $(cat /var/run/charon.pid) echo "Executed Charon kill script, IPsec seems locked up" fi

@gabacho4 Ended up getting support on the case. Ended up being a couple different things. I had a second adapter for testing on my host machine in the same subnet as the VPN which caused some issues. It also appeared to be some firewall rules on their end. I still can't ping them but the devices are talking back to controllers so they must just be blocking icmp

@mamawe Capture wireshark realized on the Lan pfsense OVH : https://www.partage-temporaire.fr/2021/06/15/wiresharklanpfsenseovh/ In this capture you can see me browsing through some folders and then starting the transfer of a file named 1GB.bin at line 937. But the navigation is already very slow so I think what you are looking for is before the first communication between the two clients so it will be more in the first lines with the MTU size exchange.

Unsure if you're using IPSEC or not so this may be irrelevant, but have you attempted manually setting gateway 'always up'? https://forum.netgate.com/topic/164248/ipsec-site-to-site-won-t-pass-traffic-since-21-05/5 If that doesn't help I'd make sure there are no traffic shaping rules in place, as those have been extremely buggy lately.

This seems to be a duplicate of https://forum.netgate.com/topic/119105/mobile-ipsec-vpn-client-s-traffic-doesn-t-work-with-transparent-squid-ssl-proxy?_=1623401865027 I decided to ask it again as its been nearly 4 years without an answer. The solution, although perhaps not ideal as its not automatic - is to supply the details of the proxy when making the connection to the VPN

@jegr the new strongswan/pfsense version, in case of cert ipsec vpn, will look for a private key that corresponds exactly to the identifier previouly this check wasn't done, in the previous version you can choose also the ip as identifier although it was not "stated" as CN or SAN in the cert used for authentication

Mystery solved. It was an intentional change. See https://redmine.pfsense.org/issues/11296

@mamawe the guides I used to set up the firewall and the windows client were both from the netgate website. This other guide I’m using was based on what you said to try and troubleshoot this issue. My phone connects just fine to the firewall. My laptop does not.

I confirmed the issue was on the UDM side. Looks like a bug. You need to add a static route on the UDM using the CLI. The static route GUI doesn't actually add the route to the routing table.