@reschi1
Regarding the NAT/BINAT configuration in the phase #2 I found this one:
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/phase-2-nat.html

I think this is what matches my case:

NAT - Overload/PAT Style If the Local Network is a subnet, but the NAT/BINAT Translation address is set to a single IP address, then a 1:many NAT (PAT) translation is set up that works like an outbound NAT rule on WAN. All outbound traffic will be translated from the local network to the single IP address in the NAT field.

I think that my phase #2 configuration I posted above is clearly non-sense, isn't it? I'm talking about the translation configuration:

Local Network: Address 123.231.231.227 NAT/BINAT translation: Address 123.231.231.227

To me it would be logical to configure it this way:

Local Network: Network LAN subnet NAT/BINAT translation: Address 123.231.231.227

Reconfigured it accordingly, but still no traffic. Leaves the previous question: Do I have to configure additional NAT settings apart from the phase #2 NAT/BINAT configuration?

What is more: I found this one https://forum.netgate.com/topic/140873/solved-inbound-traffic-with-nat-binat-translation-via-ipsec where it is claimed that not the site using a single IP address but the partner site has to configure NAT/BINAT settings. Now I'm rather confused.

@mrmaus
Hi
I abandon that project and shut down the openvpn in pfsense and will look for away to remove them, all of the vpn reference in pfsense(hahahah),
What I did instead was to build a stand alone openvpn server that sits behind the pfsense and behind a proxy server, so far so good I would even say working a lot better than when the openvpn on pfsense was working and for sure better that the ipsec that I was trying to get working.

If you can you may want to look into setting up a stand alone Openvpn server.

Later

B1 always

Has anyone figured out the issue? I can't get any documentation on how to correctly set a IPSec VPN between Pfsense and Checkpoint, it's like searching through the Bermuda triangle. Any help or pointers would be much appreciated...

I have a similar issue. We successfully did the Phase 1 and Phase 2, from Pfsense (our side) to Checkpoing (Partner side). However, when we run and ping in telnet, keeps coming up with permission denied.

Anyone here had this issue? The Public IP to Public IP is working fine, but the LAN to LAN just isn't connecting?

I have been testing DH group 19 and 20, but that resulted in "Peer to aggressive". Offcourse I had the same settings on both phase 1 and phase 2 and in Windows 10 and pfSense IKEv2 Mutual RSA config.

Changed to DH Group 14, and that worked.

What can be the reason?

That wouldn't ever work with L2TP/IPsec as the IPsec portion of L2TP/IPsec requires transport mode which only works with unique remote addresses.

If you use a regular IKEv2 (e.g. EAP-MSCHAPv2) setup it should work fine.

Or if you have multiple users at the same remote site that need to connect, consider a site-to-site VPN instead of relying on mobile connections.

So in case it helps anyone landing here, I found a solution in these:

http://superuser.com/questions/966832/windows-10-dns-resolution-via-vpn-connection-not-working

https://answers.microsoft.com/en-us/windows/forum/windows_10-networking-winpc/win-10-dns-resolution-of-remote-network-via-vpn/513bdeea-0d18-462e-9ec3-a41129eec736?page=4

I finally resolved this. I had to create a LAN Gateway on Site A side because I have two LAN subnets on this, 192.168.211.x/24 and 10.0.0.x/28. I was only concerned with the 10. subnet, so I created gateway for it only as probably traffic was trying to pass over the other LAN segment, not sure. (I am not great this stuff...)

Then on the Site B router, I had to add a manual NAT for its LAN network to allow the 10.0.0.0/28 traffic over it. Now I can successfully reach all endpoints for both networks.

Man, that was ALOT of work. Now I get why those crappy Cisco RV routers are so popular, as it seems it creates the NAT and routes for you.

davige101

@realityman_ my opinion this is not pfSense...

maybe do you have some dynamic firewall on the host the ban your IP?