UPDATE: I think it may good to know that each IPSec network has its own ip range, 10.130.x.0/24 where x is unique for each site. The phase 2 are currently running in "Tunnel IPv4" modus. When possible, we want to keep using 1 network for each site. I mean, not 1 network for router-to-router and another one for the network of the site them selve. I'm not sure if this is possible as i may need to change the IPsec P2 mode??? An example of my IPSec configuration which is similar for each site. IPSec examples.txt

@Yazur said in Bandwidth IPSEC / AES-NI / Bad perf: Are our P1 and P2 configurations good? I can only note they do not match mine exactly, but I do not know if they are wrong and if they should be working or not. I only know that my exact settings works. :-/

Hmm, not much response on this issue... I have been doing a lot of further investigation, and it seems it's impossible to do any kind of firewall filtering based on users/groups if you are using Mobile IPsec VPN. I'm very disappointed by this as Mobile IPsec VPN has the MAJOR advantage it works with the built in VPN client in Windows, MacOS, iOS, Android.... There are some "workarounds" if you start using OPENvpn instead, but even that is not implemented very effectively. You either have to send ACL rules from Radius, or assign static IP's/user, or implement several OPENvpn instances (Each with it's own Firewall ruleset, and assign users to the fitting OPENvpn instance). Quite choking that pfSense does not have a mobile VPN solution that supports user/group based rules.... Feature request: How about implementing a little service that add's a clients VPN ipaddress to a builtin FW Alias group if the user authenticated with a user belonging to a usergroup? Then we could make VPN usergroup firewall rules by using aliases as usual. If this was done upon VPN connect, and removed on VPN disconnect (needs a bit of state handling as well), it should work regardless if the user authenticates with a local database user, or via a Radius user if the Radius returns the groupname with CLASS attribute.

@vvasilev said in No Route to Virtual Pool: No, I didn't mean routed IPSec. Nice... Many times a full "states" killing is enough

Play around with TCP MSS clamping. Start with a relatively safe, low value like 1350. If you use VTI, check your MTUs aswell.

as jimp wrote, set your tunnel to the following modes: Side 1: IKEv2, Rekey configured, Reauth disabled, child SA close action set to restart/reconnect Side 2: IKEv2, Rekey configured, Reauth disabled, responder only set, child SA close action left at default (clear) See also: https://redmine.pfsense.org/issues/10176