@oscar-pulgarin Maybe the logs give hints on what is going wrong. Check both sites.

@Decepticon Thanks for the reply. This is an IPSec VPN, and I use the gateway monitoring for multi-wan failover. The IPSec gateways don't show in that section but do think it has something with a route not advertising.

OpenVPN can be configured for smartphone use and set up to access a NAS at home or what have you.

I thought I'd post what I did and what solved my problem. I can now see (access) the remote shares on all computers. The two computers that I could not reach by entering \\local computer IP address in Windows Explorer were both updated to the latest 24H2 version of Windows 11 Pro. I couldn't figure out how to create custom firewall rules on these computers. So instead, I went to Settings>Privacy & Security>Windows Security>Firewall & Network Protection>Allow an app through firewall. In the list of apps "File and Printer Sharing" was already checked for a private network. But there was also listed "File and Printer Sharing (Restrictive)" that was not checked. That entry is not present on version 23H2 of Windows 11 Pro. I checked the private network option, and now I can reach the network shares on both computers using \\local computer IP address in Windows Explorer. I thought this might be helpful if others have the same issue with a site to site IPsec VPN.

Hi, you may try do reboot the pfsense, the routing table is sometimes a little bit weird.

@TheWaterbug If it's a policy-based IPSec there is no possibility to route certain hosts over it, you would only be able to route all upstream traffic over the VPN. If it's a VTI you can do this.

@hescominsoon Glad it's working better now. SMB will definitely be slower but should be far more usable.

@RET63 If pfSense is behind a router you have probably to update the identifier on both sites. If you have changed the ISP router also remember to configure the port forwarding on it.

@pharceface You want to access the remote site from pfSense itself or access a service on pfSense from remote? Then you'll need a Static Route Workaround as explained in the docs.

@michmoor said in More than one IPSec tunnel phase1 is fine, but adding another phase1 prevents an existing tunnel from re-establishing a connection: @jimp nice. i have been following this out of curiosity. I have been a bit worried about the stability of IPsec on the platform based on my current experience so this has been an interesting post to follow. I would've never thought about the remote id being a problem. Makes sense Indeed an interesting finding and definitely something to investigate to see if it resolves my issue...

Sorry, I didn't realise this will create a new thread. Can an admin deleted this please?

@viragomann Thanks! Your reply helped me understand the flow which I was trying to do from the IPSEC and WAN Rules. Kept the WAN Rules simple and fixed IPSEC Rules and added LAN rule. Works now! Thank you for a quick educational lesson!!

@viragomann thank you very much it now works. It was set as "My IP Address" but seems that it don't work when it is not explicitly set.

that setting on server side is not necessary. once we setup the radius server correctly the X509 error messages were gone.

@Gblenn This is strange. I previously simply added a new tunnel and it works. It's been a while since I last did this, maybe about 6 months, and now suddenly this strange behaviour happens.

@jimp Thanks master, I will.

@andmattia You need also to add a phase 2 on the Cloud -> MyCustomer IPSEC with 172.172.2.0/24 - 192.168.X.X. BTW: Why are you using public network ranges inside your LAN??