If you have them configured on a P1 or P2 they should be proposed and used if needed. You'll need to show the contents of your /var/etc/ipsec/ipsec.conf and the related IPsec logs to tell anything for sure.

I missed an important detail.. Tipology of IPsec is VTI routed

@kidlat020 said in Change IP address: This subforum seems to be the closest topic to my problem. Please move if not. I'm running a net cafe. Somebody from my customer pool was using maphack, and unfortunately it resulted in an IP ban. This means anybody (myself included) is banned from connecting to the game as far as the covered IP is concerned. And yes, my net cafe is under the pfsense area of influence. I tried logging in using a wireless connection (outside pfsense area of influence) and successfully logged in. Even though both were using the same ISP. (if anyone's curious, This game was RGC.) Is there any way to change my IP? My current setup if this will help: pfsense LAN IP: 192.168.0.1 pfsense WAN IP: 192.168.1.10 edit: changing LAN IP or WAN IP solved nothing. this is starting to feel weird. Changing your WAN IP won't do anything as its a RFC1918 address.

@rodak said in IPSec tunnel between two local subnets (no Internet): Is this a proper setup, or my way of thinking is wrong? Yepp, thats perfectly correct ! You can use either IPsec VPNs or a OpenVPN based VPN. The pfSense gives you both options !

Update: I followed this article and set up VPN: link Now, i have a VPN that wotks with my Android phone, but my Windows 10 PC cant connect to it. The Windows 10 log says 788 error when i try to connect to the server. The ipsec log: Dec 23 18:34:38 charon 07[NET] <5> received packet: from 2a01:36d:1000:2bbe::1003[500] to 2a01:36c:1000:2bbe:6e3b:e5ff:fe0a:4d79[500] (368 bytes) Dec 23 18:34:38 charon 07[ENC] <5> parsed ID_PROT request 0 [ SA V V V V V V ] Dec 23 18:34:38 charon 07[CFG] <5> looking for an IKEv1 config for 2a01:36c:1000:2bbe:6e3b:e5ff:fe0a:4d79...2a01:36d:1000:2bbe::1003 Dec 23 18:34:38 charon 07[CFG] <5> candidate: %any...%any, prio 24 Dec 23 18:34:38 charon 07[CFG] <5> found matching ike config: %any...%any with prio 24 Dec 23 18:34:38 charon 07[ENC] <5> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01 Dec 23 18:34:38 charon 07[IKE] <5> received MS NT5 ISAKMPOAKLEY vendor ID Dec 23 18:34:38 charon 07[IKE] <5> received FRAGMENTATION vendor ID Dec 23 18:34:38 charon 07[ENC] <5> received unknown vendor ID: fb:1d:e3f3:41:b7:ea:16:b7:e5:be:08:55:f1:20 Dec 23 18:34:38 charon 07[ENC] <5> received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19 Dec 23 18:34:38 charon 07[ENC] <5> received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52 Dec 23 18:34:38 charon 07[IKE] <5> 2a01:36d:1000:2bbe::1003 is initiating a Main Mode IKE_SA Dec 23 18:34:38 charon 07[IKE] <5> IKE_SA (unnamed)[5] state change: CREATED => CONNECTING Dec 23 18:34:38 charon 07[CFG] <5> selecting proposal: Dec 23 18:34:38 charon 07[CFG] <5> proposal matches Dec 23 18:34:38 charon 07[CFG] <5> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Dec 23 18:34:38 charon 07[CFG] <5> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048 Dec 23 18:34:38 charon 07[CFG] <5> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384 Dec 23 18:34:38 charon 07[IKE] <5> sending XAuth vendor ID Dec 23 18:34:38 charon 07[IKE] <5> sending DPD vendor ID Dec 23 18:34:38 charon 07[IKE] <5> sending FRAGMENTATION vendor ID Dec 23 18:34:38 charon 07[ENC] <5> generating ID_PROT response 0 [ SA V V V ] Dec 23 18:34:38 charon 07[NET] <5> sending packet: from 2a01:36c:1000:2bbe:6e3b:e5ff:fe0a:4d79[500] to 2a01:36d:1000:2bbe::1003[500] (140 bytes) Dec 23 18:34:38 charon 07[NET] <5> received packet: from 2a01:36d:1000:2bbe::1003[500] to 2a01:36c:1000:2bbe:6e3b:e5ff:fe0a:4d79[500] (180 bytes) Dec 23 18:34:38 charon 07[ENC] <5> parsed ID_PROT request 0 [ KE No ] Dec 23 18:34:38 charon 07[CFG] <5> candidate "bypasslan", match: 1/1/24 (me/other/ike) Dec 23 18:34:38 charon 07[ENC] <5> generating ID_PROT response 0 [ KE No ] Dec 23 18:34:38 charon 07[NET] <5> sending packet: from 2a01:36c:1000:2bbe:6e3b:e5ff:fe0a:4d79[500] to 2a01:36d:1000:2bbe::1003[500] (164 bytes) Dec 23 18:34:38 charon 07[NET] <5> received packet: from 2a01:36d:1000:2bbe::1003[500] to 2a01:36c:1000:2bbe:6e3b:e5ff:fe0a:4d79[500] (92 bytes) Dec 23 18:34:38 charon 07[ENC] <5> parsed ID_PROT request 0 [ ID HASH ] Dec 23 18:34:38 charon 07[CFG] <5> looking for pre-shared key peer configs matching 2a01:36c:1000:2bbe:6e3b:e5ff:fe0a:4d79...2a01:36d:1000:2bbe::1003[2a01:36d:1000:2bbe::1003] Dec 23 18:34:38 charon 07[CFG] <5> candidate "bypasslan", match: 1/1/24 (me/other/ike) Dec 23 18:34:38 charon 07[IKE] <5> found 1 matching config, but none allows pre-shared key authentication using Main Mode Dec 23 18:34:38 charon 07[IKE] <5> queueing INFORMATIONAL task Dec 23 18:34:38 charon 07[IKE] <5> activating new tasks Dec 23 18:34:38 charon 07[IKE] <5> activating INFORMATIONAL task Dec 23 18:34:38 charon 07[ENC] <5> generating INFORMATIONAL_V1 request 3049540974 [ HASH N(AUTH_FAILED) ] Dec 23 18:34:38 charon 07[NET] <5> sending packet: from 2a01:36c:1000:2bbe:6e3b:e5ff:fe0a:4d79[500] to 2a01:36d:1000:2bbe::1003[500] (92 bytes) Dec 23 18:34:38 charon 07[IKE] <5> IKE_SA (unnamed)[5] state change: CONNECTING => DESTROYING

[Solved] VPN-->IPsec-->Mobile Clients-->Client Configuration-->Network List: [uncheck] Provide a list of accessible networks to clients

@tbaror said in Tunnel issue with Pfsense on premise to aws: Dec 17 16:27:10 charon 11[CFG] <con10000|6711> looking for a child config for 10.13.0.0/16|/0 === 10.110.0.0/16|/0 Dec 17 16:27:10 charon 11[CFG] <con10000|6711> proposing traffic selectors for us: Dec 17 16:27:10 charon 11[CFG] <con10000|6711> 10.13.0.0/16|/0 Dec 17 16:27:10 charon 11[CFG] <con10000|6711> proposing traffic selectors for other: Dec 17 16:27:10 charon 11[CFG] <con10000|6711> 10.109.0.0/16|/0 Dec 17 16:27:10 charon 11[IKE] <con10000|6711> traffic selectors 10.13.0.0/16|/0 === 10.110.0.0/16|/0 unacceptable Dec 17 16:27:10 charon 11[IKE] <con10000|6711> failed to establish CHILD_SA, keeping IKE_SA Dec 17 16:27:10 charon 11[ENC] <con10000|6711> generating CREATE_CHILD_SA response 53 [ N(TS_UNACCEPT) ] Looks like the AWS side is set for 10.13.0.0/16 <-> 10.110.0.0/16 but your local config is set for 10.13.0.0/16 <-> 10.109.0.0/16. It doesn't match so that child SA (P2) request is rejected.

Thank you for your reply, here's the scenario: I have 4 subnets LAN: 172.16.9.0/24 MGMT: 172.16.121.0/24 LAB1: 172.16.122.0/24 LAB2: 172.16.123.0/24 I want to route internet traffic for one of my servers in "LAB2" through IPSec, when the tunnel comes up the internet traffic for this server goes through the IPSec tunnel and works perfectly, but none of my machines in the other subnets cannot communicate with that server, I've tried everything in firewall rules but not hope.

Keep in mind that in case your pinged devices are Winblows machines that ICMP protocol (Ping) is fully blocked there by default in the local firewall. You explicitly need to allow ICMP traffic there in the setup ! (local and remote IP Ranges to "any" or your specific source lan addresses) Also the Winblows firewall generally blocks all traffic which has different source IPs then the local network they are in. Keep that in mind if you need access to file sharing or printer service etc. So best practice is always to ping the local router interfaces or destination IPs from devices without firewall like printers, wlan ap's etc. from the Diagnostics --> Ping menü. This also makes sense cause you can alter the source IPs to your local LANs here.

@awebster Thank you so much, great info. I've abandoned S2S for now, as I've spent way too much time on it and have to deal with a bunch of stuff that has piled up in the meantime. Mobile client is working (almost) perfectly, and I'm super pleased with the throughput. A couple responses: oh boy have i rebooted. Managed switch is telling me 140 link state changes -- since the last time i rebooted the switch. :-) Mostly because I've read some messages with confusion about how to properly restart IPSEC, and reboot means it for sure restarted. MTU... no packet loss using Mobile Client, all defaults. My cable modem (remote side) is 1500. HQ is a fiber connection that I don't manage, but between pfSense and the USG Pro i have confirmed that it's 1500. Even so, seems like I should have to account for encapsulation overhead.... but it seems to be working. I mean, maybe the USG is just handling the fragmentation well, but I feel like I would not have the performance that I'm getting if so. Cheers

Hi Konstanti, have you seen the data ? regards Maurizio

@rodrigocar said in IPSEC gateway loop and high latency: We have a PFsense as firewall+VPN and use IPSec to close a conection with our datacenter (Site to Site). We notice a high latency beetwen us and our servers on the datacenter. This wasn't happening before, the problem started about 1-2 months ago. The ping response stays on 150ms and if I run a traceroute I notice that it pass through the GW (192.168.0.254) - 0.358ms, loops again to the GW (192.168.0.254) but the response time is 160ms and then arrives on the other side with a response time of 164ms. I've ruled out hardware and firewall rules problems because I installed PFsense on another machine from scratch and did only the IPSec configuration, the results was the same. I attached a print with the results. FYI PFSense 2.4.4-RELEASE-p3 Hardware CPU Type Intel(R) Xeon(R) CPU E5620 @ 2.40GHz 8 CPUs: 1 package(s) x 4 core(s) x 2 hardware threads Memory - 16GB Any help is welcome... thanks everyone!!! ipsec.png Anyone can help me with that problem?

The tests I made was using UDP. I did the same with TCP ans it seems there is a mimitation at 25mb/s udp test with public : root@client ~ # iperf -c public_ip -b 400M -u ------------------------------------------------------------ Client connecting to public_ip, UDP port 5001 Sending 1470 byte datagrams, IPG target: 28.04 us (kalman adjust) UDP buffer size: 8.00 MByte (default) ------------------------------------------------------------ [ 3] local private_ip port 10012 connected with public_ip port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec 500 MBytes 419 Mbits/sec [ 3] Sent 356661 datagrams [ 3] Server Report: [ 3] 0.0-10.0 sec 485 MBytes 406 Mbits/sec 0.064 ms 10375/356661 (2.9%) [ 3] 0.00-10.02 sec 18 datagrams received out-of-order root@client ~ # udp test with private ip : root@client ~ # iperf -c private_ip -b 400M -u ------------------------------------------------------------ Client connecting to private_ip, UDP port 5001 Sending 1470 byte datagrams, IPG target: 28.04 us (kalman adjust) UDP buffer size: 8.00 MByte (default) ------------------------------------------------------------ [ 3] local private_ip port 33804 connected with 192.168.1.3 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec 500 MBytes 419 Mbits/sec [ 3] Sent 356660 datagrams [ 3] Server Report: [ 3] 0.0-10.3 sec 283 KBytes 226 Kbits/sec 611.953 ms 356462/356659 (1e+02%) root@client ~ # tcp test with public ip : root@client ~ # iperf -c public_ip -b 400M ------------------------------------------------------------ Client connecting to public_ip, TCP port 5001 TCP window size: 85.0 KByte (default) ------------------------------------------------------------ [ 3] local private_ip port 52622 connected with public_ip port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec 30.4 MBytes 25.4 Mbits/sec root@client ~ # tcp test with private ip : root@client ~ # iperf -c private_ip -b 400M ------------------------------------------------------------ Client connecting to private_ip, TCP port 5001 TCP window size: 64.0 KByte (default) ------------------------------------------------------------ [ 3] local private_ip port 12658 connected with private_ip port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec 29.5 MBytes 24.7 Mbits/sec root@client ~ # Very strange. Any idea ?

I could solve the problem: The configured remote address was wrong. But pfsense seems to have a standard config, because in the log it says, that pfsense is using %any config or something. Is that normal? Thanks! Ketanest