@jimp Thanks! Will start digging into this.

@jimp So I don't have definitive proof but both my core router and branch router started swapping out. My branch router filled up its swap then crashed. My core router would have crashed also but it has 32 GB of RAM while my branch router only has 16 GB of RAM. The memory usage tracks exactly with the backup job. Core router memory overview including swap usage: [image: 1578929196685-86018311-ff80-4f6e-b75d-d9e87f6688d2-image.png] Branch router memory overview including swap usage: [image: 1578929249429-8f08546d-07dd-419b-a5a2-c71ed244eb9a-image.png] For the time being I am moving all my tunnels that I can over to OpenVPN. This is unfortunate as OpenVPN does not get good performance and I have some remote sites with Fortigate firewalls. Fortigate does not support OpenVPN.

IOW the limitation is likely not the number of IPsec tunnels, but the total amount of traffic they carry, which will run into bandwidth limits or CPU encryption/decryption capacity limits, whichever comes first. You can realistically expect 400-900 Mbps of total encrypted traffic on that box, depending on traffic complexity. Hope this helps.

@Sal said in Is it necessary to add the 4500(IPsec Nat-T) and 500 (ISAKmp) on the WAN?? pfsense 2.4.4: I thought that the important part is to add the rules on the IPsec interface, not the WAN. Is this correct ?? Rules for 4500/500 on your IPSEC interface? Makes no sense. Those ports have to be working on your WAN so incoming IPSEC connections are passed through. On your tunnel/IPSEC interface those rules for those ports make no sense. But IMHO IPSec Ports are accepted automatically on WAN if IPSEC connections are configured. but I noticed that the tunnel is connected. IPSEC can be initiated bi-directional. So every side can be initiator or receiver. The tunnel coming up doesn't mean you already have working rules as it could have been initiated from the second site to the first your created the rules yourself. But as stated above, if I remember correctly IPSEC is created automatically (and that automation can be switched off in adv. settings)

Hello, sorry for the delay! It works now perfect for me and I think it was a problem wit my mobile-connection. It works with the Android StrongSwan-App, with the default configuration on Windows 10 (IKEv2) and with the PowerShell generated connection mentioned by @lfoerster. Thank you Robert

Someone? =/

SOLVED!!!! Searching for answers I strumbled on another post that was having the same problem. And it pointed me to a problem in my setup… I had PFS enabled on the pfSense and disabled on the USG. Thanks to those that stopped to help, hopefully this post will help someone in the future. Scot

@jimp Thank you. Perfect explanation and I think you may have solved my issue. I was not doing the P2 segments at the hub correctly. I didn't have any P2 entries with links between remote offices. I kept trying to create them with the hub as the distribution point.

@lguy2000 I didn't try those particular settings yet. I'm testing on 1gb WAN to WAN. Both sides on ATT fiber and only getting about 60Mbps tops. Phase 1 is AES128-GCM, 128 bit with AES-XCBC hash on DH14 Phase 2 is AES128-GCM, 128 with no hash, DH14

What do the lines for the network(s) look like in /var/etc/ipsec/ipsec.conf on both sides? What does ipsec statusall show on both sides? This is probably one of many things fixed by the IPsec swanctl conversion on 2.5.0, but you may not want to make that leap on production systems yet.

I solved it! As suspected the problem was in the second P2 that is dealing with the VPN subnet. Each P2 should have a match on the other site but mirrored. And since I needed: VPN clients connected to Office A to be able to access machines in Office B LAN and VPN clients connected to Office B to be able to access machines in Office A LAN This required a third pair of P2 on both sides. [image: 1578251647497-ipsec_p2_final.png] Thanks @netblues for the ideas!

So looking at the VPN config screen (I use IKEv2), I see under advanced options for Disable Rekey, and Disable Reauth, along with a margintime setting. Is this saying that I just need to select "disable rekey" to make this work correctly??

@jimp This works, thanks! [image: FGTest.jpg]

My first thought is your USB ethernet is misbehaving. How is your IPsec tunnel configured?