Just to close the loop on this, this issue is resolved in 21.05/2.5.2. I just finished setting the Crypto device back to AES-NI and BSD Crypto Device (aesni,cryptodev) on my SG-5100. Rebooted to load crypto device change, and happy to report that my IPSEC connections using SHA256 hashing are stable. -LamaZ

I was able to resolve my problem with the help of a post: mobile ipsec clients cannot see site to site ipsec lan After getting one side to work, I had difficulty get the other side to work (I have remote access on both sides, so I wanted similar functionality in either direction). It turns out that you end up with 2 additional P1 connections and 2 P2 connections. I basically had to customize the labels and ip addresses in the article for either direction and them implement them. I just kept getting turned around and that was basically the only way I got it to work. Created to installation sheets for the Work FW and the Home FW.

@viniciusmerlim I just upgraded to the new 21.05 release tonight and it seems to have resolved my issues. I re-enabled the AES-NI with no changes to my IPSec configuration on either end. The hardware crypto has been turned back on and my IPSec tunnel is back to working properly with optimal speeds (no latency or speed issues noticed). Hopefully that resolves your issue too. I didn't check the changelogs to see if the specifically mentioned this in there, but it definitely fixed the problem for me.

Thanks for the heads up on the update @NOCling Just got the upgrade in and reconfigured the AES-NI and everything seems to be working again. The AES-NI is confirmed to be back on and my IPSec tunnles are working at optimum speeds again. Seems to be fixed for my purposes anyway. Hope it resolves any issues for everyone else!

@michaelblly Thank you for the feedback.

i also added now new section in phase 2 [image: 1622494927687-2777d4e1-b2d3-4274-9c5d-f186f446ff5b-image.png] And my adroid phone can reach the server in pfsense lan. But my windows client still can't do it. few minutes ago, i have connected again on windows client. and i can ping the pfsense lan interface (192.168.26.1) and server (192.168.26.10) but it can't ping internet still. PS C:\Users\Greg-Admin> ping 192.168.26.10 Pinging 192.168.26.10 with 32 bytes of data: Reply from 192.168.26.10: bytes=32 time=1ms TTL=127 Reply from 192.168.26.10: bytes=32 time=1ms TTL=127 Ping statistics for 192.168.26.10: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms Control-C PS C:\Users\Greg-Admin> ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data: Reply from 192.168.1.1: bytes=32 time<1ms TTL=64 Ping statistics for 192.168.1.1: Packets: Sent = 1, Received = 1, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Control-C PS C:\Users\Greg-Admin> ping 8.8.8.8 Pinging 8.8.8.8 with 32 bytes of data: Control-C If i will enable split tunnel Get-VpnConnection -Name 'VPN2HOME' |Set-VpnConnection -SplitTunneling:$true then my windows client, at least can reach internet again , but if i understand correctly, this means that the internet part is not getting via vpn ,but using my normal connection.

The moment the other tunnel came up (we have 2 in that firewall) the widget began to show the correct information. But not while only one of them was active.

Nevermind.. I gave up and came back 20 mins later and it worked. I have no idea what happened.

Problem Solving: https://ibb.co/swJn30Q

@milew I had to add a gateway first, to the other router, then entered a route to the other network gateway: Interface: LAN Gateway: Local Router IP 192.168.3.1 Static Route: Network: 192.168.2.0/24 Gateway: 192.168.3.1 Interface: LAN This is based on my network setup, your network might be different.

Just in case someone face same issue: I had to specify a separate Outbound NAT rule for ESP: Protocol: ESP Source: This Firewall (self) Destination: Any Address: VIP address

quick update - found the root cause... I was looking at the wrong radius server's logs... Apparently because I also have a valid user certificate for the same CA on these iOS devices, they'll use that to successfully authenticate against my Freeradius3 install through eap-tls rather than user/pass. Going to have to make some chances there... I'm still surprised that I never get prompted for a user/pass either when the profile is installed or it tries to authenticate the first time through EAP-RADIUS

@stephen21 said in VPN Client - Connect to Site to Site VPN: @viragomann said in VPN Client - Connect to Site to Site VPN: @stephen21 In the remote VPN settings on A add the site B networks to the "Local Networks". At B add the remote access tunnel network to the "Remote Networks". Care that the access is allowed in firewall rules. Hi Thanks for your suggestion, but these settings are already made otherwise site to site access would not be possible.. My problem is to allow the Remote Client to have access to both Site A and Site B, while only connected to Site A Thank you Your Site A <--> Site B VPN would work fine without Site B knowing about the "Dial-in" VPN Lan. But Site B , would not know how to route packets back to the "Dial-in" VPN clients (via Site A) , unless you have done as @viragomann says. /Bingo

Make a test environment on the virtual machine and check if you are able to connect. It is a waste of time to guess and look for the reason where it may lie, for example in the enabled DDoS functions on the switch. Alternatively, you can paste the ipsec logs onto pfsense here.