ITS WILL WORK, BCZ OUR COMPETITOR ALREADY DONE THAT

Probably because we fixed this: https://redmine.pfsense.org/issues/9243 It worked before because, technically, both sides were misconfigured :-)

That is not related to this thread, start a new thread for each of those questions separately.

This seems to be somewhat expected with VTIs and nothing to be too concerned about https://forum.netgate.com/post/795763

[image: 1585304017390-c62931b1-b5a5-4152-98d7-656347d1867d-image.png] "Leftauth" c'est bien pour l'authentification en local? La valeur pubkey est-elle bonne?

wan mtu is set to 1500 mss clamping it set to 1380 I have offloading turned off AES-NI is not active I'll try aes-gcm Cpu's are at 3-5% so not doing much.

Aha! I think I've got it. By switching to VTi mode I was able to make a gateway interface for it, and then do firewall rules. Not as simple but it works.

@lfoerster said in Possible IPSec routing issue: So its more intelligent to place the static route NOT on 10.10.0.251 here, but on the default gateway both .251 and .2 devices (and probably all in the 10.10.0.0 segment) have configured. Of course you were correct. I put a static route in the default GW on our side and it started to work immediately. I do have to admit it gets me a little confused though, since I've been using static routes on clients before. And, while it says it's a headache when administering multiple clients (which we don't), this article says it should work: https://docs.netgate.com/pfsense/en/latest/book/ipsec/site-to-site.html Anyway, thanks a million!

@jimp thanks for the tips. I think that's a bit complicated for our needs certainly right now and certainly last minute like it currently is. Any ideas why I can't create another ipsec tunnel and point it at the other dsl connection ? I mean I can but the authentication options don't allow me to point it at my radius. I only have Mutual PSK and Mutual (something else) as options in the drop down.... I had hoped I could set up another ipsec tunnel tied to the second DSL connection, but it doesn't seem to let me.

@lfoerster thank you very much sir.

And here is the solution to that working with 2 different VPN protocolls and keeping them transparent to both sites: https://administrator.de/content/detail.php?id=534696&token=421#comment-1420225 and also here: https://administrator.de/content/detail.php?id=534696&token=421#comment-1420401 That works without any errors !

@lfoerster Thank you very much, that's perfect. Everything works perfectly! I still had to do an "f-route" as administrator to make it work. As well as a reboot of my "client" machine, of the Ipsec service but also of each tunnel. You are an extraordinary person, thank you very much.