Yes, that will then carry only traffic between those specific hosts. Steve

The client decides what traffic to send over. I think there's a checkbox in the VPN settings. Some people use powershell.

For the Mac, try setting up the VPN using a profile instead of manually. It sometimes behaves differently.

I ended up setting up a wpad.dat file and configuring dhcp option 252 and dns wpad A record for auto proxy config to work around this. Would have preferred inline/transparent filtering but it will work for now.

Solution can be found here: IIPsec to Mikrotik

Indeed, for mobile it's hard to beat. If you need to use only included clients (in Windows) it's IKEv2 with EAP-MSCHAPv2 and that can be painful. https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html Steve

@hamed_forum Hey Host 88.88.88.88 does not respond to a sent packet You need to check the settings on the other side of the tunnel.

That looks fine. The other side will create a tunnel for: Local:192.168.68.0/24 Remote: 192.168.172.0/24 There will be a 1:1 mapping between 172.16.10.0/24 and 192.168.172.0/24 on your side If you connect from 172.16.10.135 on your side they will see if coming from source 192.168.172.135 on their side. If they connect to 192.168.172.23 they will actually get 172.16.10.23 on your side. You cannot ping the 192.168.172.10 address directly because it does not actually exist on the firewall itself. It is only used for NAT through IPsec. You will have to test using traffic that is actually flowing through IPsec. Pinging 192.168.172.1 from the other side (which will actually ping 172.16.10.1 on your firewall) should work as long as it is allowed by the firewall rules on your end and you are sourcing it from something in 192.168.68.0/24 on their end.

When I make an IPsec between two pfSense routers I can ping both sides of the tunnel from the pfSense UI. Are you sure you don't still have suttle config error or issue?

Perfect works a treat, thank you @Derelict

Issue solved in the end. Solution was to route WAN out on OPT1 (internet access) and add rules to allow only tunnel traffic via the IPSec wall.

@JeGr said in P2 subnet overlap: So I could probably have two phases with identical remote network (say 192.168.0.0/24) for two different customers with different local networks (each customer its own project network) and as they are in different P1/P2 combinations they wouldn't interfere with each other? That matches exactly my use case! Too be honest, there already was some remote subnet overlap. Normally I would ask the other end to do some NAT before IPSEC to prevent overlap, but I missed it in a couple of occasions and it just seemed to work. I asked just to make sure if it was supposed to work that way.

i think there is but there is always someone else that can do it for you :) AES Performance per CPU core for TLS v1.2 Ciphers (Higher is Better, Speeds in Megabytes per Second) ChaCha20 AES-128-GCM AES-256-GCM AES-128-CBC AES-256-CBC Total Score AMD Ryzen 7 1800X 573 3006 2642 1513 1101 = 8835 Intel W-2125 565 2808 2426 1698 1235 = 8732 Intel i7-6700 585 2607 2251 1561 1131 = 8135 Intel i5-6500 410 1729 1520 1078 783 = 5520 Intel i7-4750HQ 369 1556 1353 688 499 = 4465 AMD FX 8350 367 1453 1278 716 514 = 4328 AMD FX 8150 347 1441 1273 716 515 = 4292 Intel E5-2650 v4 404 1479 1286 652 468 = 4289 Intel i7-2700K 382 1353 1212 763 552 = 4262 Intel i7-3840QM 373 1279 1143 725 520 = 4040 Intel i5-2500K 358 1274 1140 728 522 = 4022 AMD FX 6100 326 1344 1186 671 481 = 4008 AMD A10-7850K 321 1303 1176 685 499 = 3984 AMD A8-7600 Kaveri 306 1246 1108 648 470 = 3778 Intel E5-2640 v3 303 1286 1126 585 419 = 3719 AMD Opteron 6380 293 1203 1063 589 423 = 3571 AMD Opteron 6378 282 1138 986 561 406 = 3373 AMD Opteron 6274 232 1054 926 524 376 = 3112 Intel Xeon E5-2630 247 962 864 541 394 = 3008 Intel Xeon E5645 262 817 717 727 524 = 3047 Intel i7-2635QM 151 989 881 564 404 = 2989 Intel Xeon L5630 225 701 610 626 450 = 2612 Intel E5-2603 v4 236 866 754 382 274 = 2512 AMD Opteron 2382 249 651 485 215 150 = 1750 Intel i7-950 401 256 218 358 257 = 1490 AMD Phenom 965 404 84 63 282 198 = 1031 Intel Core2 Q9300 231 126 133 221 161 = 872 AMD X4 610e 225 59 44 198 139 = 665 Intel Core2 Q6600 173 141 79 108 77 = 578 Intel P4 3Ghz Will 109 26 23 55 43 = 256 Intel ATOM D525 98 51 43 28 20 = 240 Snapdragon S4 Pro 131 41 - - - = 172 ARM Cortex A9 73 24 - - - = 97 Testing Notes: LibreSSL 2.5.0 ( ~ OpenSSL 1.0.2d) FreeBSD 11 ; Clang LLVM compiler AES-NI acceleration enabled if allowed by the CPU Speeds in megabytes per second (MB/s) per real cpu core 8192 byte blocks Five(5) test runs, the average speed reported Snapdragon and ARM Cortex values reported by Google Developers

@flimadigital said in IPSEC VPN WITH NAT S2S: This ip has a configured NAT that takes everything from 192.168.249.29 and plays to the network 192.168.200.0/24 I don't exactly understand what you mean by this but I assume the client wants your clients to connect via a single IP (192.168.249.29) so it can create firewall rules accordingly. To do that, you have to NAT your connection in your phase 2 settings. Your clients P2: local network: 192,168.200.0/24 remote network: 192.168.249.29/32 etc. etc. Your own P2 setting: local network: 172.16.0.0/16 NAT setting enabled with "address" selected: 192.168.249.29 (/32) remote network: 192.168.200.0/24 Hope that clears it up and I understood correctly that you want to NAT to a single IP.

After month of a working vpn my HDD was destroyed and I had no backup, I used the bad thing to turn it into something good - a clean pfSense and a perfect setup. But now I have some trouble with the Encryption. I currently use for phase 1 : AES 256bits SHA384 DH:20 And for Phase 2 : AES 256bits SHA384 DH:20 Is this secure enough? When I try to follow the tutorial it doesnt work. The Hash algorithm is also grey in Apple Configurator when I chose AES-256 GCM. Where is my mistake?

@0daymaster set MTU to 1380 or 1400 on both sides pfSense supports AES-NI and cryptodev accelerators see https://docs.netgate.com/pfsense/en/latest/hardware/cryptographic-accelerator-support.html SG-3100 and above NetGate appliances have crypto accelerators: https://store.netgate.com/pfSense/systems.aspx

@jimp good to know, thanks jimp.

@Derelict said in ASA 5505 / pfsense only one Phase 2 traffic passing at a time; swaps: You absolutely need split tunneling enabled to do multiple IKEv2 selectors to an ASA. The ASA is the reason that checkbox exists in the first place. So leave that enabled. I figured as much and haven't turned this off.