Is the site-to-site tunnel using IKEv2? If so, check the "split connections" box in the P1 settings.

Tutorial: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev1-xauth.html but i had to change some options: [image: 1583178397196-ios13.jpg] [image: 1583178401665-ios132.jpg]

I think I found the solution ! In the outbound NAT. I'll check.

Sigh, ignore this post...it looks like the router I'm using doesn't support IPSec.

@nbegley I'm not sure why you disable PFS Disable Rekey Disable Reauth or set Responder Only. The more change you make to pfSense's default settings the less chance you'll keep tunnels connected. According to my test (10 years ago), Draytek is compatible to pfSense, but I suggest you do your own interoperability test. -- Set margin time = 30s. -- Set short lifetime, like 30m Phase 1 and 15m Phase 2. -- Do not set Responder Only. Don't Disable Reauth, Disable Rekey or turn off PFS. -- (Just for the purpose of testing) Use different ciphersuit for Phase 1 and Phase 2 (say, DH group 15 and 14 respectively). If the tunnel can't be established or stops working after 1h, problem is yours. If it stops after 2 days, go after your ISP.

Hello, Thread necromancer here with the same question. I have successfully followed this guide: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html#Create_Client_Pre-Shared_Keys, and have had an IKEv2 P1 setup for years. I have a segmented network and allowing LAN access to loop back to the WAN interface was creating odd exceptions that allow a LAN user to have access to services that would be blocked by normal WAN rules, so I explicitly block LAN to WAN_address from a floating rule. I now want to allow IKEv2 from LAN into secure segments but I can only bind my P1 to one interface. No worries. I got to setup a second P1 on accessible interface and run into the same thing as the OP. I presented with a 'remote gateway address' option and no EAP options. It's as if pfSense is presuming any additional P1 are always going to be a client as a oppose to the already created server. I may be thinking about this wrong, any help appreciated.

Hi, almost cross posting here . Because this need some visibility so other don't have to waste hours finding out that Cisco may needs this option with multiple phase 2 for a stable connection. Ref: https://forum.netgate.com/topic/132546/ipsec-phase2-problem-pfsense-checkpoint a slight hijack of this thread from me. Split Connection was the solution to my problems too. IKE2, multiple phase 2 and Cisco ASA don't play well together (single phase 2 had no problems). This particular connection has now bean stable, 14h and counting. Brgs,

Hi ladies and germs. Split Connection was the solution to my problems. IKE2, multiple phase 2 and Cisco ASA don't play well together (single phase 2 had no problems). Split Connection is what got my connection stable, 14h and counting now. A link from the pfsense UI to the docs or a hint in the description on the option that Cisco probably needs this when running multiple phase 2 had been very helpful and saved me a couple of hours. Brgs,

I'm going to have to google some of the things you talked about. I set reauth = no and rekey = no. Its been about 2 days and do far so good no reboots needed and no duplicate tunnels creeping up.

@Perforado thanks for the reply! The dual gateway is on the Sonicwall, not the pfSense. What I am wondering is how to best leverage Sonicwall failover to a site pfSense IP.

Solved.

I could not find my previous post, I thought it was not posted properly, now I found it but can not remove this one... please Admin, remove it and pardon my mistake

Correct. You can choose from either EAP-TLS which has certificates in both directions (client and server) or EAP-MSCHAPv2/EAP-RADIUS which has user auth + clients validate server certificate. There isn't a way for both to work currently. (And even if strongSwan supported it, I'm not sure any clients do)