Nevermind.. I gave up and came back 20 mins later and it worked. I have no idea what happened.

Problem Solving:
https://ibb.co/swJn30Q

@milew
I had to add a gateway first, to the other router, then entered a route to the other network

gateway:
Interface: LAN
Gateway: Local Router IP 192.168.3.1

Static Route:
Network: 192.168.2.0/24
Gateway: 192.168.3.1
Interface: LAN
This is based on my network setup, your network might be different.

Just in case someone face same issue: I had to specify a separate Outbound NAT rule for ESP:
Protocol: ESP
Source: This Firewall (self)
Destination: Any
Address: VIP address

quick update - found the root cause...

I was looking at the wrong radius server's logs...
Apparently because I also have a valid user certificate for the same CA on these iOS devices, they'll use that to successfully authenticate against my Freeradius3 install through eap-tls rather than user/pass. Going to have to make some chances there...

I'm still surprised that I never get prompted for a user/pass either when the profile is installed or it tries to authenticate the first time through EAP-RADIUS

@stephen21 said in VPN Client - Connect to Site to Site VPN:

@viragomann said in VPN Client - Connect to Site to Site VPN:

@stephen21
In the remote VPN settings on A add the site B networks to the "Local Networks".

At B add the remote access tunnel network to the "Remote Networks".

Care that the access is allowed in firewall rules.

Hi
Thanks for your suggestion, but these settings are already made otherwise site to site access would not be possible..

My problem is to allow the Remote Client to have access to both Site A and Site B, while only connected to Site A

Thank you

Your Site A <--> Site B VPN would work fine without Site B knowing about the "Dial-in" VPN Lan.

But Site B , would not know how to route packets back to the "Dial-in" VPN clients (via Site A) , unless you have done as @viragomann says.

/Bingo

Make a test environment on the virtual machine and check if you are able to connect. It is a waste of time to guess and look for the reason where it may lie, for example in the enabled DDoS functions on the switch.
Alternatively, you can paste the ipsec logs onto pfsense here.

Any hints for this?
The problem persists and the VPN is blocking 2-3 times per week, it's very annoying.

And the same problem happen on two different pfSense installations, so I'm thinking about a miss-configuration or bug.

Thank you!

By mistake posted this to Redmine as a 'potential' bug, but was told that they do not support this particular hardware. Would appreciate it if anyone else could potentially reproduce or add additional info that might make further investigation possible...

@daddygo

Thanks for the information! It looks like spam : -)

(vagy semmilyen eddigi nyelven nem értették meg a problémát és vérprofi google translate felhasználó)

Do you try Intel Quick Assist?
It shouldn't be affected.