@nomatter Thanks for the followup.
I've not experimented with VTI source NAT before, and I'm surprised to see that it doesn't in fact work.

@jimp Thanks. I'm glad hearing that it is known and somebody is working on it. Can't wait for pfSense v2.5.

Update:

The remote network is 10.90.0.0/16.

When this problem appears sometines i can do ping host in one VLan and not another host in another vlan. For example:

When i do ping to host on vlan 6: 10.90.6.22/24 . The ping not work and when I do ping to VLan 19: 10.90.19.63 , the ping work. The problem with Vlans is random.

I tried to disable DPD but the result is the same.

You are absolutely awesome! Thank you so much. I wasn't thinking of that. I disabled "pull routes", and it worked right away :-).

NAT will make that trickier but usually you can get around that by setting appropriate identifiers. I wouldn't use hostnames in those fields for identifiers, though. It isn't handled there like it is in the remote gateway field. Try setting the identifiers explicitly to a value on both sides and see what happens.

@jimp Thanks! Will start digging into this.

@jimp So I don't have definitive proof but both my core router and branch router started swapping out. My branch router filled up its swap then crashed. My core router would have crashed also but it has 32 GB of RAM while my branch router only has 16 GB of RAM. The memory usage tracks exactly with the backup job.

Core router memory overview including swap usage:

86018311-ff80-4f6e-b75d-d9e87f6688d2-image.png

Branch router memory overview including swap usage:

8f08546d-07dd-419b-a5a2-c71ed244eb9a-image.png

For the time being I am moving all my tunnels that I can over to OpenVPN. This is unfortunate as OpenVPN does not get good performance and I have some remote sites with Fortigate firewalls. Fortigate does not support OpenVPN.

IOW the limitation is likely not the number of IPsec tunnels, but the total amount of traffic they carry, which will run into bandwidth limits or CPU encryption/decryption capacity limits, whichever comes first. You can realistically expect 400-900 Mbps of total encrypted traffic on that box, depending on traffic complexity. Hope this helps.

@Sal said in Is it necessary to add the 4500(IPsec Nat-T) and 500 (ISAKmp) on the WAN?? pfsense 2.4.4:

I thought that the important part is to add the rules on the IPsec interface, not the WAN. Is this correct ??

Rules for 4500/500 on your IPSEC interface? Makes no sense. Those ports have to be working on your WAN so incoming IPSEC connections are passed through. On your tunnel/IPSEC interface those rules for those ports make no sense.

But IMHO IPSec Ports are accepted automatically on WAN if IPSEC connections are configured.

but I noticed that the tunnel is connected.

IPSEC can be initiated bi-directional. So every side can be initiator or receiver. The tunnel coming up doesn't mean you already have working rules as it could have been initiated from the second site to the first your created the rules yourself. But as stated above, if I remember correctly IPSEC is created automatically (and that automation can be switched off in adv. settings)

Hello,

sorry for the delay!
It works now perfect for me and I think it was a problem wit my mobile-connection.
It works with the Android StrongSwan-App, with the default configuration on Windows 10 (IKEv2) and with the PowerShell generated connection mentioned by @lfoerster.

Thank you
Robert

Someone? =/

SOLVED!!!!

Searching for answers I strumbled on another post that was having the same problem. And it pointed me to a problem in my setup… I had PFS enabled on the pfSense and disabled on the USG.

Thanks to those that stopped to help, hopefully this post will help someone in the future.

Scot

@jimp Thank you. Perfect explanation and I think you may have solved my issue. I was not doing the P2 segments at the hub correctly. I didn't have any P2 entries with links between remote offices. I kept trying to create them with the hub as the distribution point.

@lguy2000 I didn't try those particular settings yet. I'm testing on 1gb WAN to WAN. Both sides on ATT fiber and only getting about 60Mbps tops.

Phase 1 is AES128-GCM, 128 bit with AES-XCBC hash on DH14
Phase 2 is AES128-GCM, 128 with no hash, DH14