OK, thanks.

As far as I can tell, the suggested settings are:

Enable 'Make-before-break' (VPN-->IPSec-->Advanced Settings tab) on both sides

Disable reauthentication and enable rekey -
Version 2.5.0: Leave reauth blank and put a value in rekey
Version 2.4.5: Check 'Disable Reauth'. Leave 'Disable Rekey' unchecked
On one side, Check 'Responder Only', and set 'Child SA Close Action' to 'Close/Clear'
On the other side, set 'Child SA close action' to 'Restart/Reconnect'

This patch would need to be applied to allow VTI tunnels to be set to Responder Only

Is this correct?

How would I apply these settings to an IPSec tunnel to AWS?

@johnpoz said in PCI Compliance Scans:

Ok I see what might be going on... Hmmm

I just fired up a ipsec, and ran ike-scan on it.. And yeah so you can see where asking for des. and what gets returned

Oct 3 21:11:46 charon 10[CFG] <1> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048 Oct 3 21:11:46 charon 10[CFG] <1> received proposals: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_768

All of the options are returned, even though not possible to use it... Hmmm That should be simple enough to fix, but don't think you can do it in the gui.

I don't really ever do ipsec with pfsense...

I don't either, but my client has a vendor that needs to occasionally access some internal systems. The only thing they could get working on their end was IPSec. SMH.

The original link is broken. Here is a new one.
https://www.hexnetworks.com/2019/04/24/pfsense-cluster-in-aws/

No, I don't know that anyone has tried it so I can't offer any advice. You'd build it between the VTI addresses on either end of the IPsec tunnel but that's the only advice I can offer.

Yep, tried that too.

To solve the problem, I just removed pfSense from site A and replaced it with a CentOS VM running OpenVPN client.

From there I have a VLAN on our Cisco LAN SW which has a DHCP scope to configure the LAN default gateway via OpenVPN.

Works perfectly.

Well, I finally made it work thanks to @Konstanti .

I want to leave it here in case it may help someone else, struggling with the finicky ipsec settings...

In my case the key point seems to be setting IKEv2 Algorithms as aes256-sha256-modp1024 in the StrongSwan Android Client.

The IPsec/ESP Algorithms may be left empty. I am just not sure what the benefits of specifying it ( @Konstanti , please correct me).

There is still another part that seems equally contibutes into the successful establishment of the IPSec tunnel - I also had to specify in StrongSwan Android Client:

Server identity: <MY_ORG>.duckdns.org

Client identity: ikev2-drew@<MY_ORG>.duckdns.org

Note, that setting client identity (at least in my case) MUST be specified in this email style: client1@<SERVER_IDENTITY>. For some reason, changing it to just client1 (ikev2-drew in my case) breaks everything, even though I canged the User distinguished name from ikev2-drew@<MY_ORG>.duckdns.org to Any in pfsense ipsec settings (phase1) in GUI.

Again, thank you very much, @Konstanti for your time and help!

UPDATE:
I think it may good to know that each IPSec network has its own ip range, 10.130.x.0/24 where x is unique for each site. The phase 2 are currently running in "Tunnel IPv4" modus. When possible, we want to keep using 1 network for each site. I mean, not 1 network for router-to-router and another one for the network of the site them selve. I'm not sure if this is possible as i may need to change the IPsec P2 mode???

An example of my IPSec configuration which is similar for each site.
IPSec examples.txt

@Yazur said in Bandwidth IPSEC / AES-NI / Bad perf:

Are our P1 and P2 configurations good?

I can only note they do not match mine exactly, but I do not know if they are wrong and if they should be working or not.

I only know that my exact settings works. :-/

Hmm, not much response on this issue...

I have been doing a lot of further investigation, and it seems it's impossible to do any kind of firewall filtering based on users/groups if you are using Mobile IPsec VPN.
I'm very disappointed by this as Mobile IPsec VPN has the MAJOR advantage it works with the built in VPN client in Windows, MacOS, iOS, Android....

There are some "workarounds" if you start using OPENvpn instead, but even that is not implemented very effectively.
You either have to send ACL rules from Radius, or assign static IP's/user, or implement several OPENvpn instances (Each with it's own Firewall ruleset, and assign users to the fitting OPENvpn instance).

Quite choking that pfSense does not have a mobile VPN solution that supports user/group based rules....

Feature request: How about implementing a little service that add's a clients VPN ipaddress to a builtin FW Alias group if the user authenticated with a user belonging to a usergroup? Then we could make VPN usergroup firewall rules by using aliases as usual.
If this was done upon VPN connect, and removed on VPN disconnect (needs a bit of state handling as well), it should work regardless if the user authenticates with a local database user, or via a Radius user if the Radius returns the groupname with CLASS attribute.