I have a 150mbps symmetric connection. Without vpn speedtest shows the line speed but when vpn is enabled the speed drops considerably. In both tests, I am connected at the LAN side.

Without VPN
Screenshot_20200306-090605_Speedtest.jpg

With VPN
Screenshot_20200306-090504_Speedtest.jpg

Is there a way to improve IPSec speed? What encryption cipher should i use to get best speed on Android?

This seemed to have helped with the DNS issue.

It became up after a while, I didn't change anything. Issue resolved.

That was only true for IKEv1 tunnels. IKEv2 tunnels can carry both. And VTI is not really a "tunnel" but routed IPsec so it's different yet.

Is the site-to-site tunnel using IKEv2? If so, check the "split connections" box in the P1 settings.

Tutorial: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev1-xauth.html

but i had to change some options:

ios13.JPG ios132.JPG

I think I found the solution !
In the outbound NAT.
I'll check.

Sigh, ignore this post...it looks like the router I'm using doesn't support IPSec.

@nbegley I'm not sure why you disable PFS Disable Rekey Disable Reauth or set Responder Only. The more change you make to pfSense's default settings the less chance you'll keep tunnels connected. According to my test (10 years ago), Draytek is compatible to pfSense, but I suggest you do your own interoperability test.

-- Set margin time = 30s.
-- Set short lifetime, like 30m Phase 1 and 15m Phase 2.
-- Do not set Responder Only. Don't Disable Reauth, Disable Rekey or turn off PFS.
-- (Just for the purpose of testing) Use different ciphersuit for Phase 1 and Phase 2 (say, DH group 15 and 14 respectively).

If the tunnel can't be established or stops working after 1h, problem is yours. If it stops after 2 days, go after your ISP.

Hello,

Thread necromancer here with the same question.

I have successfully followed this guide: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html#Create_Client_Pre-Shared_Keys, and have had an IKEv2 P1 setup for years.

I have a segmented network and allowing LAN access to loop back to the WAN interface was creating odd exceptions that allow a LAN user to have access to services that would be blocked by normal WAN rules, so I explicitly block LAN to WAN_address from a floating rule.

I now want to allow IKEv2 from LAN into secure segments but I can only bind my P1 to one interface. No worries. I got to setup a second P1 on accessible interface and run into the same thing as the OP. I presented with a 'remote gateway address' option and no EAP options. It's as if pfSense is presuming any additional P1 are always going to be a client as a oppose to the already created server.

I may be thinking about this wrong, any help appreciated.

Hi, almost cross posting here ☺ . Because this need some visibility so other don't have to waste hours finding out that Cisco may needs this option with multiple phase 2 for a stable connection.

Ref: https://forum.netgate.com/topic/132546/ipsec-phase2-problem-pfsense-checkpoint
a slight hijack of this thread from me.

Split Connection was the solution to my problems too. IKE2, multiple phase 2 and Cisco ASA don't play well together (single phase 2 had no problems). This particular connection has now bean stable, 14h and counting.

Brgs,

Hi ladies and germs.
Split Connection was the solution to my problems. IKE2, multiple phase 2 and Cisco ASA don't play well together (single phase 2 had no problems). Split Connection is what got my connection stable, 14h and counting now.

A link from the pfsense UI to the docs or a hint in the description on the option that Cisco probably needs this when running multiple phase 2 had been very helpful and saved me a couple of hours.

Brgs,