I'm going to have to google some of the things you talked about.

I set reauth = no and rekey = no. Its been about 2 days and do far so good no reboots needed and no duplicate tunnels creeping up.

@Perforado thanks for the reply!

The dual gateway is on the Sonicwall, not the pfSense.

What I am wondering is how to best leverage Sonicwall failover to a site pfSense IP.

Solved.

I could not find my previous post, I thought it was not posted properly, now I found it but can not remove this one... please Admin, remove it and pardon my mistake

Correct. You can choose from either EAP-TLS which has certificates in both directions (client and server) or EAP-MSCHAPv2/EAP-RADIUS which has user auth + clients validate server certificate. There isn't a way for both to work currently. (And even if strongSwan supported it, I'm not sure any clients do)

no idea sorry, as jimp mentioned 0.0.0.0 is used for other stuff inside pfsense, you need to wait for the dev to find a better solution or use dyndns

@jimp
Yup, i was just typing up a response saying I found that while reviewing my post. It's always the little things. thanks for guiding me through the troubleshooting steps!

edit: It also was set to "LAN Address" instead of "LAN Net"

@jimp said in IPSEC VTI Interface neighbor MTU 1500 is larger then ipsec2000´s MTU 1400:

affe8a552ef1f7b8e59f3b60fd1421aa46f45b03

Done. Thank you.

Was able to get internal clients connecting just by adding a host override for my vpn domain name to point to pfsense e.g. 192.168.1.1 instead of trying to come in via the WAN IP

Not sure what I achieved in the end, but happy days.. 😂

No wonder it's broken. Every tunnel should be using a unique set of identifiers. Otherwise nothing can be distinguished from each other.

@unsichtbarre No, I don't think you can create a phase 2 VTI and a legacy phase 2 under the same phase 1.
You would need to create a new VTI based IPSEC tunnel between sites A and B and use that exclusively.
Although it might be possible to run parallel IPSEC tunnels if the endpoint IP is different at one end or the other.

I figured it out! Because of the way that my gateways are configured, I had to set up a firewall rule for Site B's subnet on Site A's router under IPSec that has a gateway that is the same as my outbound NAT.

me tooCapture.PNG