Debug 1:

Due to the cloud default VPC setup, the default route of the backend hosts are not set to the pfsense gateway. I am able to ping any hosts behind the gateway after setting the correct default route, and vice versa. However, any other services doesn't seem to work correctly. For example, ssh took more than a minute to see the prompt for checking the remote host key, and another minute to prompt for the password. It is definitely not normal to wait for minutes for the ssh password prompt, although ping responded normally. It even connected, but as if it is in slow motion, even worst than an old PBX 128k baud modem rate!

I am checking at the firewall rules closely for any other hints, but if firewall is blocking, I shouldn't be able to connect at all? Or is this still routing issue, e.g. the packet is routed all incorrectly?

Ok thx,

anybody knows where to configure the P2 entries in a LANCOM Router?

There are no limits on IPsec tunnels imposed by pfSense.

I found the reason why the routing was problematic.
My local network is on the network range 10.0.0.0/24.
I've created an account for a coworker, his local network range is 192.168.0.0/24.
He doesn't need to add routes and he can connect to any server on the other side of the tunnel.

The virtual ip pool is set to 192.168.10.0/27. Which can be set VPN -> IPSec -> Mobile Clients -> Virtual Address Pool

I've made a workaround:
created a bash script:

#!/bin/bash vpn_lanip=`netstat -rn|awk '/192.168.10/{print $2}'|head -1` if [[ $vpn_lanip != "" ]]; then route delete -net 10.0.0.0/24 $vpn_lanip route add -net 10.0.0.0/24 $vpn_lanip fi

Then created a plist file:
/Library/LaunchDaemons/network.watcher.plist

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>network.watcher</string> <key>ProgramArguments</key> <array> <string>/bin/bash</string> <string>/Users/arno/routes.sh</string> </array> <key>WatchPaths</key> <array> <string>/Library/Preferences/SystemConfiguration</string> </array> </dict> </plist>

Then activated the network watcher daemon, that performs actions if network changes are detected.

sudo launchctl load /Library/LaunchDaemons/network.watcher.plist

There is a slight delay for the route propagation of about 10 seconds, but it works for me.

@johnpoz said in How do i revoke a user certificate from PFSense?:

when do users get a cert in ipsec? Don't they just use the KEY ID as their username? Never setup ipsec with such login before.

I am not really sure what you mean. I create a user certificate using the CA manager within pfsense. The manager points to my own Microsoft CA server.

I install that user + root certificate onto my Phone and create an IKEv2 EAP-TLS (certificate) profile within StrongSwan.

And normally when i delete the user certificate i cannot connect anymore. With this pfsense installation i am still able to connect. (Delete / Revoke has got the same end result)

IPsec interfaces don't support reply-to yet, so it's not possible to send traffic back down a different tunnel than the one it entered.

Which network you use in p2 for your clients?

Local Network have to be 192.168.0.0/19, to route the trafic to all local Networks throu the tunnel.

I want to route all trafic throu my tunne, i use 0.0.0.0/0 and no split tunneling option on the clients.

If you route only this network, you have do set split tunneling with the right Network + Mask on client side.

Unfortunately, per-interface rules do not currently function for VTI interfaces. It's a limitation in the underlying OS (either in if_ipsec, pf, or some combination of the two).

Communication from a subnet like that wouldn't necessarily succeed anyhow, though, because your return routing wouldn't send it back to the "wrong" tunnel. In your example, if "Prefix A" came in from "Site-Tunnel 2" the reply traffic would go back to whichever one had the route on it, likely "Site-Tunnel 1".

If you are using a routing protocol (BGP, OSPF) you could filter routes that way as well.

A bit more info, and a question:

Based on another topic where traffic was not flowing, I have disabled these params in IPSEC : Advanced

Auto-exclude LAN address Asynch Crypto

My question...
Unlike each of my OpenVPN tunnels on pfSense, I don't see IPSEC tunnel creating an interface to be activated in Interface::Assignments.
There is an IPSEC interface, and I have enabled it and given it a pass all all all rule in Firewall. But there is not another specific to the tunnel I configured.
Does the tunnel not need an interface?
If it does, what am I missing to enable it and to give it a Firewall rule to permit IP?

AES-GCM is the only exception to the way the drop-down works.

The traffic would have to hit a proxy on pfSense1 for that to work. The problem is that anything on pfSense2 will need to see a source address of pfSense1 or the traffic won't return to pfSense1. So you could have haproxy on pfSense1 accept and hand off the requests to the second reverse proxy.

If you were using OpenVPN then it's possible to port forward directly across, since OpenVPN will work properly with reply-to if you make the right set of rules on assigned interfaces. That doesn't work with IPsec VTI yet.

@viktor_g

Any other suggestions?

It's not suitable for me, because IPSEC failover using Dynamic DNS and multi WAN doesn't work properly (with WAN failure it need some time to resolve new IP, and when WAN is UP DynDNS is not refresh so fast, but IPSec is using wrong WAN gateway and didn't connect till DynDNS new IP refresh).
I want to make load balancing with IPSec VTI gateways (without connection drops) on pfSense side, so - both connections must be UP all time. and when one connection is fails - another stay UP without any connection drops for tunneled networks.
But, as i see, it isn't standard situation for pfSense IPSec - when 1 WAN Server is using for 2 WAN's Servers.

@hdservices said in KeyID tag issue since 2.4.5:

May 6 07:58:47 charon 08[CFG] <290> candidate "bypasslan", match: 1/1/24 (me/other/ike) May 6 07:58:47 charon 08[CFG] <290> looking for pre-shared key peer configs matching x.x.x.x...x.x.x.x[192.168.1.60] May 6 07:58:47 charon 08[ENC] <290> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] May 6 07:58:47 charon 08[NET] <290> received packet: from x.x.x.x[4500] to x.x.x.x[4500] (108 bytes) May 6 07:58:47 charon 08[NET] <290> sending packet: from x.x.x.x[500] to x.x.x.x[500] (396 bytes) May 6 07:58:47 charon 08[ENC] <290> generating ID_PROT response 0 [ KE No NAT-D NAT-D ] May 6 07:58:47 charon 08[CFG] <290> candidate "con1000", match: 1/1/3100 (me/other/ike) May 6 07:58:47 charon 08[CFG] <290> candidate "bypasslan", match: 1/1/24 (me/other/ike)

It's selecting bypasslan which means the P1 info didn't match. Either you didn't match up the ID (Looks like the remote is sending 192.168.1.60 as its ID) or the Pre-Shared key for 192.168.1.60 could not be found.

Phase 1:

IKEv1
IPv4
PSK
Aggressiv
Distinguished name
Distinguished name
PSK Generate by pfSense
AES 256 SHA512 DH2
DPD on

Phase 2:
IPv4
NAT None
ESP
AES 236
SHA1
PFS Key Group 2
Lifetime 3600

However, a new Netgate has been ordered and replace the Fritz shortly.