no idea sorry, as jimp mentioned 0.0.0.0 is used for other stuff inside pfsense, you need to wait for the dev to find a better solution or use dyndns

@jimp Yup, i was just typing up a response saying I found that while reviewing my post. It's always the little things. thanks for guiding me through the troubleshooting steps! edit: It also was set to "LAN Address" instead of "LAN Net"

@jimp said in IPSEC VTI Interface neighbor MTU 1500 is larger then ipsec2000´s MTU 1400: affe8a552ef1f7b8e59f3b60fd1421aa46f45b03 Done. Thank you.

Was able to get internal clients connecting just by adding a host override for my vpn domain name to point to pfsense e.g. 192.168.1.1 instead of trying to come in via the WAN IP Not sure what I achieved in the end, but happy days..

No wonder it's broken. Every tunnel should be using a unique set of identifiers. Otherwise nothing can be distinguished from each other.

@unsichtbarre No, I don't think you can create a phase 2 VTI and a legacy phase 2 under the same phase 1. You would need to create a new VTI based IPSEC tunnel between sites A and B and use that exclusively. Although it might be possible to run parallel IPSEC tunnels if the endpoint IP is different at one end or the other.

I figured it out! Because of the way that my gateways are configured, I had to set up a firewall rule for Site B's subnet on Site A's router under IPSec that has a gateway that is the same as my outbound NAT.

me too[image: 1581008235645-capture.png]

Thanks Manuel ! This was just what I was looking for. At least, when tried from the firewall, it worked (127.0.0.1 and LAN gw answered after the change). I will visit the customer and double check it from the workstation but pretty sure that this was the solution. Appreciate Your help. / best regards, pete

@kiokoman thx your right

UP