@bitvoip I’d just submit a bug report in that case… …costs nothing and ensures it’s on the radar of the developers.

@mauro-tridici I have seen a case where the ISP modem (Comcast) was apparently blocking the inbound port forwarding. Changing the pfSense to a different WAN IP let it work. Re upgrade: https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html#troubleshooting

@nabberuk I know this is an old topic, but replying here for the record as I had a very similar issue where I was unable to get multiple P2s to connect. In the advanced settings, if you check the "Split connections" setting which is described as "Enable this to split connection entries with multiple phase 2 configurations. Required for remote endpoints that support only a single traffic selector per child SA." that seemed to get the IPsec connection working between pfSense and Sophos.

@keyser Thanks a lot for the clarification. Everything is now working as expected.

@mvbif Policy-based IPSec strictly connects two networks in a phase 2. And only these two network can communicate. If you forward traffic from a public IP the source might be outside of these network. So the packets won't be accepted. Yes, there are two possibilities with policy-based IPSec. You can either source-NAT the packets. But this must be done in the IPSec phase 2 with BINAT and to an IP, which the remote site has defined as remote network in its p2. Conventional outbound NAT would not work. The second option is to state 0.0.0.0/0 as local network on site 1 and as remote on site 2, but this means, that all upstream traffic from 2 will be routed to 1, which might be undesired. With VTI, you can assign an interface to the IPSec instance at site 2, where you have to define the firewall rule for inbound from the remote site. So pfSense can apply the reply-to tags to the packets, which is necessary to route response packets back to site 1.

Just try to resolve it somewhere. In Diag > DNS Lookup in pfSense for example. If you use an IP address or something actually resolves it must match the actual address IPSec is using.

Set the MSS for AES to 1328, if you want to avoid padding. Less padding allows you to move more Data over the tunnel.

Here is the log informatin I get when trying to ping from one of hte remote sites: Oct 4 08:53:19 charon 80307 12[KNL] <con3|370> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found Oct 4 08:53:19 charon 80307 12[KNL] <con3|370> querying policy ::/0|/0 === ::/0|/0 in failed, not found Oct 4 08:53:19 charon 80307 12[IKE] <con3|370> sending DPD request Oct 4 08:53:19 charon 80307 12[IKE] <con3|370> queueing IKE_DPD task Oct 4 08:53:19 charon 80307 12[IKE] <con3|370> activating new tasks Oct 4 08:53:19 charon 80307 12[IKE] <con3|370> activating IKE_DPD task Oct 4 08:53:19 charon 80307 12[ENC] <con3|370> generating INFORMATIONAL request 2250 [ ] Oct 4 08:53:19 charon 80307 12[NET] <con3|370> sending packet: from 50.169.69.234[500] to 50.169.69.203[500] (80 bytes) Oct 4 08:53:19 charon 80307 12[NET] <con3|370> received packet: from 50.169.69.203[500] to 50.169.69.234[500] (80 bytes) Oct 4 08:53:19 charon 80307 12[ENC] <con3|370> parsed INFORMATIONAL response 2250 [ ] Oct 4 08:53:19 charon 80307 12[IKE] <con3|370> activating new tasks Oct 4 08:53:19 charon 80307 12[IKE] <con3|370> nothing to initiate Oct 4 08:53:22 charon 80307 12[NET] <con1|366> received packet: from 66.207.143.1[500] to 50.169.69.234[500] (80 bytes) Oct 4 08:53:22 charon 80307 12[ENC] <con1|366> parsed INFORMATIONAL request 12680 [ ] Oct 4 08:53:22 charon 80307 12[ENC] <con1|366> generating INFORMATIONAL response 12680 [ ] Oct 4 08:53:22 charon 80307 12[NET] <con1|366> sending packet: from 50.169.69.234[500] to 66.207.143.1[500] (80 bytes) Oct 4 08:53:22 charon 80307 12[KNL] <con2|371> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found Oct 4 08:53:22 charon 80307 12[KNL] <con2|371> querying policy ::/0|/0 === ::/0|/0 in failed, not found Oct 4 08:53:22 charon 80307 12[IKE] <con2|371> sending DPD request Oct 4 08:53:22 charon 80307 12[IKE] <con2|371> queueing IKE_DPD task Oct 4 08:53:22 charon 80307 12[IKE] <con2|371> activating new tasks Oct 4 08:53:22 charon 80307 12[IKE] <con2|371> activating IKE_DPD task Oct 4 08:53:22 charon 80307 12[ENC] <con2|371> generating INFORMATIONAL request 1086 [ ] Oct 4 08:53:22 charon 80307 12[NET] <con2|371> sending packet: from 50.169.69.234[500] to 50.169.69.219[500] (80 bytes) Oct 4 08:53:22 charon 80307 12[NET] <con2|371> received packet: from 50.169.69.219[500] to 50.169.69.234[500] (80 bytes) Oct 4 08:53:22 charon 80307 12[ENC] <con2|371> parsed INFORMATIONAL response 1086 [ ] Oct 4 08:53:22 charon 80307 12[IKE] <con2|371> activating new tasks Oct 4 08:53:22 charon 80307 12[IKE] <con2|371> nothing to initiate Oct 4 08:53:27 charon 80307 11[IKE] <con4|372> sending DPD request Oct 4 08:53:27 charon 80307 11[IKE] <con4|372> queueing IKE_DPD task Oct 4 08:53:27 charon 80307 11[IKE] <con4|372> activating new tasks Oct 4 08:53:27 charon 80307 11[IKE] <con4|372> activating IKE_DPD task Oct 4 08:53:27 charon 80307 11[ENC] <con4|372> generating INFORMATIONAL request 93 [ ] Oct 4 08:53:27 charon 80307 11[NET] <con4|372> sending packet: from 50.169.69.234[500] to 192.158.19.11[500] (80 bytes) Oct 4 08:53:27 charon 80307 11[NET] <con1|366> received packet: from 66.207.143.1[500] to 50.169.69.234[500] (80 bytes) Oct 4 08:53:27 charon 80307 11[ENC] <con1|366> parsed INFORMATIONAL request 12681 [ ] Oct 4 08:53:27 charon 80307 11[ENC] <con1|366> generating INFORMATIONAL response 12681 [ ] Oct 4 08:53:27 charon 80307 11[NET] <con1|366> sending packet: from 50.169.69.234[500] to 66.207.143.1[500] (80 bytes) Oct 4 08:53:27 charon 80307 11[NET] <con4|372> received packet: from 192.158.19.11[500] to 50.169.69.234[500] (80 bytes) Oct 4 08:53:27 charon 80307 11[ENC] <con4|372> parsed INFORMATIONAL response 93 [ ] Oct 4 08:53:27 charon 80307 11[IKE] <con4|372> activating new tasks Oct 4 08:53:27 charon 80307 11[IKE] <con4|372> nothing to initiate Oct 4 08:53:29 charon 80307 11[KNL] <con3|370> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found Oct 4 08:53:29 charon 80307 11[KNL] <con3|370> querying policy ::/0|/0 === ::/0|/0 in failed, not found Oct 4 08:53:29 charon 80307 11[IKE] <con3|370> sending DPD request Oct 4 08:53:29 charon 80307 11[IKE] <con3|370> queueing IKE_DPD task Oct 4 08:53:29 charon 80307 11[IKE] <con3|370> activating new tasks Oct 4 08:53:29 charon 80307 11[IKE] <con3|370> activating IKE_DPD task Oct 4 08:53:29 charon 80307 11[ENC] <con3|370> generating INFORMATIONAL request 2251 [ ] Oct 4 08:53:29 charon 80307 11[NET] <con3|370> sending packet: from 50.169.69.234[500] to 50.169.69.203[500] (80 bytes) Oct 4 08:53:29 charon 80307 11[NET] <con3|370> received packet: from 50.169.69.203[500] to 50.169.69.234[500] (80 bytes) Oct 4 08:53:29 charon 80307 11[ENC] <con3|370> parsed INFORMATIONAL response 2251 [ ] Oct 4 08:53:29 charon 80307 11[IKE] <con3|370> activating new tasks Oct 4 08:53:29 charon 80307 11[IKE] <con3|370> nothing to initiate Oct 4 08:53:32 charon 80307 11[NET] <con1|366> received packet: from 66.207.143.1[500] to 50.169.69.234[500] (80 bytes) Oct 4 08:53:32 charon 80307 11[ENC] <con1|366> parsed INFORMATIONAL request 12682 [ ] Oct 4 08:53:32 charon 80307 11[ENC] <con1|366> generating INFORMATIONAL response 12682 [ ] Oct 4 08:53:32 charon 80307 11[NET] <con1|366> sending packet: from 50.169.69.234[500] to 66.207.143.1[500] (80 bytes) Oct 4 08:53:32 charon 80307 11[KNL] <con2|371> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found Oct 4 08:53:32 charon 80307 11[KNL] <con2|371> querying policy ::/0|/0 === ::/0|/0 in failed, not found Oct 4 08:53:32 charon 80307 11[IKE] <con2|371> sending DPD request Oct 4 08:53:32 charon 80307 11[IKE] <con2|371> queueing IKE_DPD task Oct 4 08:53:32 charon 80307 11[IKE] <con2|371> activating new tasks Oct 4 08:53:32 charon 80307 11[IKE] <con2|371> activating IKE_DPD task Oct 4 08:53:32 charon 80307 11[ENC] <con2|371> generating INFORMATIONAL request 1087 [ ] Oct 4 08:53:32 charon 80307 11[NET] <con2|371> sending packet: from 50.169.69.234[500] to 50.169.69.219[500] (80 bytes) Oct 4 08:53:32 charon 80307 11[NET] <con2|371> received packet: from 50.169.69.219[500] to 50.169.69.234[500] (80 bytes) Oct 4 08:53:32 charon 80307 11[ENC] <con2|371> parsed INFORMATIONAL response 1087 [ ] Oct 4 08:53:32 charon 80307 11[IKE] <con2|371> activating new tasks Oct 4 08:53:32 charon 80307 11[IKE] <con2|371> nothing to initiate Oct 4 08:53:37 charon 80307 11[IKE] <con4|372> sending DPD request Oct 4 08:53:37 charon 80307 11[IKE] <con4|372> queueing IKE_DPD task Oct 4 08:53:37 charon 80307 11[IKE] <con4|372> activating new tasks Oct 4 08:53:37 charon 80307 11[IKE] <con4|372> activating IKE_DPD task Oct 4 08:53:37 charon 80307 11[ENC] <con4|372> generating INFORMATIONAL request 94 [ ] Oct 4 08:53:37 charon 80307 11[NET] <con4|372> sending packet: from 50.169.69.234[500] to 192.158.19.11[500] (80 bytes) Oct 4 08:53:37 charon 80307 09[NET] <con1|366> received packet: from 66.207.143.1[500] to 50.169.69.234[500] (80 bytes) Oct 4 08:53:37 charon 80307 09[ENC] <con1|366> parsed INFORMATIONAL request 12683 [ ] Oct 4 08:53:37 charon 80307 09[ENC] <con1|366> generating INFORMATIONAL response 12683 [ ] Oct 4 08:53:37 charon 80307 09[NET] <con1|366> sending packet: from 50.169.69.234[500] to 66.207.143.1[500] (80 bytes) Oct 4 08:53:37 charon 80307 09[NET] <con4|372> received packet: from 192.158.19.11[500] to 50.169.69.234[500] (80 bytes) Oct 4 08:53:37 charon 80307 09[ENC] <con4|372> parsed INFORMATIONAL response 94 [ ] Oct 4 08:53:37 charon 80307 09[IKE] <con4|372> activating new tasks Oct 4 08:53:37 charon 80307 09[IKE] <con4|372> nothing to initiate Oct 4 08:53:39 charon 80307 09[KNL] <con3|370> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found Oct 4 08:53:39 charon 80307 09[KNL] <con3|370> querying policy ::/0|/0 === ::/0|/0 in failed, not found Oct 4 08:53:39 charon 80307 09[IKE] <con3|370> sending DPD request Oct 4 08:53:39 charon 80307 09[IKE] <con3|370> queueing IKE_DPD task Oct 4 08:53:39 charon 80307 09[IKE] <con3|370> activating new tasks Oct 4 08:53:39 charon 80307 09[IKE] <con3|370> activating IKE_DPD task Oct 4 08:53:39 charon 80307 09[ENC] <con3|370> generating INFORMATIONAL request 2252 [ ] Oct 4 08:53:39 charon 80307 09[NET] <con3|370> sending packet: from 50.169.69.234[500] to 50.169.69.203[500] (80 bytes) Oct 4 08:53:39 charon 80307 09[NET] <con3|370> received packet: from 50.169.69.203[500] to 50.169.69.234[500] (80 bytes) Oct 4 08:53:39 charon 80307 09[ENC] <con3|370> parsed INFORMATIONAL response 2252 [ ] Oct 4 08:53:39 charon 80307 09[IKE] <con3|370> activating new tasks Oct 4 08:53:39 charon 80307 09[IKE] <con3|370> nothing to initiate Oct 4 08:53:42 charon 80307 09[NET] <con1|366> received packet: from 66.207.143.1[500] to 50.169.69.234[500] (80 bytes) Oct 4 08:53:42 charon 80307 09[ENC] <con1|366> parsed INFORMATIONAL request 12684 [ ] Oct 4 08:53:42 charon 80307 09[ENC] <con1|366> generating INFORMATIONAL response 12684 [ ] Oct 4 08:53:42 charon 80307 09[NET] <con1|366> sending packet: from 50.169.69.234[500] to 66.207.143.1[500] (80 bytes) Oct 4 08:53:42 charon 80307 09[KNL] <con2|371> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found Oct 4 08:53:42 charon 80307 09[KNL] <con2|371> querying policy ::/0|/0 === ::/0|/0 in failed, not found Oct 4 08:53:42 charon 80307 09[IKE] <con2|371> sending DPD request Oct 4 08:53:42 charon 80307 09[IKE] <con2|371> queueing IKE_DPD task Oct 4 08:53:42 charon 80307 09[IKE] <con2|371> activating new tasks Oct 4 08:53:42 charon 80307 09[IKE] <con2|371> activating IKE_DPD task Oct 4 08:53:42 charon 80307 09[ENC] <con2|371> generating INFORMATIONAL request 1088 [ ] Oct 4 08:53:42 charon 80307 09[NET] <con2|371> sending packet: from 50.169.69.234[500] to 50.169.69.219[500] (80 bytes) Oct 4 08:53:42 charon 80307 09[NET] <con2|371> received packet: from 50.169.69.219[500] to 50.169.69.234[500] (80 bytes) Oct 4 08:53:42 charon 80307 09[ENC] <con2|371> parsed INFORMATIONAL response 1088 [ ] Oct 4 08:53:42 charon 80307 09[IKE] <con2|371> activating new tasks Oct 4 08:53:42 charon 80307 09[IKE] <con2|371> nothing to initiate Oct 4 08:53:47 charon 80307 09[IKE] <con4|372> sending DPD request Oct 4 08:53:47 charon 80307 09[IKE] <con4|372> queueing IKE_DPD task Oct 4 08:53:47 charon 80307 09[IKE] <con4|372> activating new tasks Oct 4 08:53:47 charon 80307 09[IKE] <con4|372> activating IKE_DPD task Oct 4 08:53:47 charon 80307 09[ENC] <con4|372> generating INFORMATIONAL request 95 [ ] Oct 4 08:53:47 charon 80307 09[NET] <con4|372> sending packet: from 50.169.69.234[500] to 192.158.19.11[500] (80 bytes) Oct 4 08:53:47 charon 80307 09[NET] <con1|366> received packet: from 66.207.143.1[500] to 50.169.69.234[500] (80 bytes) Oct 4 08:53:47 charon 80307 09[ENC] <con1|366> parsed INFORMATIONAL request 12685 [ ] Oct 4 08:53:47 charon 80307 09[ENC] <con1|366> generating INFORMATIONAL response 12685 [ ] Oct 4 08:53:47 charon 80307 09[NET] <con1|366> sending packet: from 50.169.69.234[500] to 66.207.143.1[500] (80 bytes) Oct 4 08:53:47 charon 80307 09[NET] <con4|372> received packet: from 192.158.19.11[500] to 50.169.69.234[500] (80 bytes) Oct 4 08:53:47 charon 80307 09[ENC] <con4|372> parsed INFORMATIONAL response 95 [ ] Oct 4 08:53:47 charon 80307 09[IKE] <con4|372> activating new tasks Oct 4 08:53:47 charon 80307 09[IKE] <con4|372> nothing to initiate Oct 4 08:53:49 charon 80307 09[KNL] <con3|370> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found Oct 4 08:53:49 charon 80307 09[KNL] <con3|370> querying policy ::/0|/0 === ::/0|/0 in failed, not found Oct 4 08:53:49 charon 80307 09[IKE] <con3|370> sending DPD request Oct 4 08:53:49 charon 80307 09[IKE] <con3|370> queueing IKE_DPD task Oct 4 08:53:49 charon 80307 09[IKE] <con3|370> activating new tasks Oct 4 08:53:49 charon 80307 09[IKE] <con3|370> activating IKE_DPD task Oct 4 08:53:49 charon 80307 09[ENC] <con3|370> generating INFORMATIONAL request 2253 [ ] Oct 4 08:53:49 charon 80307 09[NET] <con3|370> sending packet: from 50.169.69.234[500] to 50.169.69.203[500] (80 bytes) Oct 4 08:53:49 charon 80307 10[NET] <con3|370> received packet: from 50.169.69.203[500] to 50.169.69.234[500] (80 bytes) Oct 4 08:53:49 charon 80307 10[ENC] <con3|370> parsed INFORMATIONAL response 2253 [ ] Oct 4 08:53:49 charon 80307 10[IKE] <con3|370> activating new tasks Oct 4 08:53:49 charon 80307 10[IKE] <con3|370> nothing to initiate Oct 4 08:53:52 charon 80307 10[NET] <con1|366> received packet: from 66.207.143.1[500] to 50.169.69.234[500] (80 bytes) Oct 4 08:53:52 charon 80307 10[ENC] <con1|366> parsed INFORMATIONAL request 12686 [ ] Oct 4 08:53:52 charon 80307 10[ENC] <con1|366> generating INFORMATIONAL response 12686 [ ] Oct 4 08:53:52 charon 80307 10[NET] <con1|366> sending packet: from 50.169.69.234[500] to 66.207.143.1[500] (80 bytes) Oct 4 08:53:52 charon 80307 10[KNL] <con2|371> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found Oct 4 08:53:52 charon 80307 10[KNL] <con2|371> querying policy ::/0|/0 === ::/0|/0 in failed, not found Oct 4 08:53:52 charon 80307 10[IKE] <con2|371> sending DPD request Oct 4 08:53:52 charon 80307 10[IKE] <con2|371> queueing IKE_DPD task Oct 4 08:53:52 charon 80307 10[IKE] <con2|371> activating new tasks Oct 4 08:53:52 charon 80307 10[IKE] <con2|371> activating IKE_DPD task Oct 4 08:53:52 charon 80307 10[ENC] <con2|371> generating INFORMATIONAL request 1089 [ ] Oct 4 08:53:52 charon 80307 10[NET] <con2|371> sending packet: from 50.169.69.234[500] to 50.169.69.219[500] (80 bytes) Oct 4 08:53:52 charon 80307 10[NET] <con2|371> received packet: from 50.169.69.219[500] to 50.169.69.234[500] (80 bytes) Oct 4 08:53:52 charon 80307 10[ENC] <con2|371> parsed INFORMATIONAL response 1089 [ ] Oct 4 08:53:52 charon 80307 10[IKE] <con2|371> activating new tasks Oct 4 08:53:52 charon 80307 10[IKE] <con2|371> nothing to initiate Oct 4 08:53:57 charon 80307 10[IKE] <con4|372> sending DPD request Oct 4 08:53:57 charon 80307 10[IKE] <con4|372> queueing IKE_DPD task Oct 4 08:53:57 charon 80307 10[IKE] <con4|372> activating new tasks Oct 4 08:53:57 charon 80307 10[IKE] <con4|372> activating IKE_DPD task Oct 4 08:53:57 charon 80307 10[ENC] <con4|372> generating INFORMATIONAL request 96 [ ] Oct 4 08:53:57 charon 80307 10[NET] <con4|372> sending packet: from 50.169.69.234[500] to 192.158.19.11[500] (80 bytes) Oct 4 08:53:57 charon 80307 10[NET] <con1|366> received packet: from 66.207.143.1[500] to 50.169.69.234[500] (80 bytes) Oct 4 08:53:57 charon 80307 10[ENC] <con1|366> parsed INFORMATIONAL request 12687 [ ] Oct 4 08:53:57 charon 80307 10[ENC] <con1|366> generating INFORMATIONAL response 12687 [ ] Oct 4 08:53:57 charon 80307 10[NET] <con1|366> sending packet: from 50.169.69.234[500] to 66.207.143.1[500] (80 bytes) Oct 4 08:53:57 charon 80307 10[NET] <con4|372> received packet: from 192.158.19.11[500] to 50.169.69.234[500] (80 bytes) Oct 4 08:53:57 charon 80307 10[ENC] <con4|372> parsed INFORMATIONAL response 96 [ ] Oct 4 08:53:57 charon 80307 10[IKE] <con4|372> activating new tasks Oct 4 08:53:57 charon 80307 10[IKE] <con4|372> nothing to initiate

Yeah, once I got it configured correctly with the multiple phase 2 connections it was rock solid. Bomb-proof even.

@viragomann Ops! Thanks will correct

Well I believe I sorted it at this point. Because the old FW has multiple IPsec tunnels, a few non VTI, I couldn't enable IPsec Filter Mode. While looking over logs, I noticed that my traffic was entering VTI interface and leaving IPSec interface. So I created a floating rule for asymmetrical routing issues. All I needed to do was alter my IPSEC rules to match any/any TCP:Any, State:Sloppy.

@michmoor I won't argue with you, be polite. That's all.

@adebisi Firewall > Rules, IPsec Rules on that tab govern what connections are allowed into your firewall from IPsec tunnels. There is no way to know what might be required at the other side. You'll have to work with them on that.

@michmoor Fairly new and green with working with pfense. What should I change the update source for the Neighbours BGP ?

@viragomann Well, since I couldn't get the default one to work, I tried VTI and it worked. Not sure what I did wrong with the other method but I did find VTI a bit more like the WG tunnels I have set up in the past. With the gateway and routing settings at least...