@lifeboy When editing the Phase one and Phase 2 settings, only one encryption settings is enabled in both:
AES256 and using SHA256 with DH14:

72a1546e-02d3-4f89-bebe-3fc688c05aec-image.png

937960d9-5daa-465f-a6f4-630ecdc079ac-image.png

@viragomann

Hello @viragomann

Please see details logs on attachment filelog-ipsec-details-pfsense.txt

Thank you for your help

Regards

turns out, it was me. i mistakenly upgraded the secondary node to 2.7.2, but forgot to upgrade the primary node and it was still 2.7.0. HAsync was not working due to this error, so this was not a pfsense problem, it was a me problem :)

@michmoor i've founf the problem. When my p1 have multiple p2. It always getting disconnected. I dont know why its happening on latest pfsense version.

@viragomann Before routing the traffic of Server, I would like PFSense01 and PFSense02 to ping on the VTI interfaces, because from the screenshot that I showed before on PFSense01 there are 0 outbound packets, and I don't now why

Forgot to mention Site A uses Cox Cable and Site B uses Comcast.

On the Fortinet router make sure you have the necessary firewall policies and the source/destinations for each policy are set up correctly.

Please also reference my post on this thread: https://forum.netgate.com/post/1169622

The correct way to set up hub/spoke topology in multi-platform setting would be use 0.0.0.0/0 routing via IPSEC interfraces. However, this was broken in 24.03 and I'm afraid it will be broken in 2.8.0 CE as well, despite this functionality being there for years and working flawlessly.

@viragomann They are all set to any already. that was my exact thinking get them up and then tighten them down once they were up.

I thought I'd do some further testing with earlier versions of CE, specifically 2.6.0.

I'm happy to report that 0.0.0.0/0 works identically to 2.7.2. That version was released in the beginning of 2022..

I found the missing link!

On the NPS server, I had to set the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMf Create the following String/Value pair: Name: OVERRIDE_NUMBER_MATCHING_WITH_OTP Value = FALSE

Then I had to restart the Network Policy Service and BINGO! I got the approve sign-in notification on my phone when I tested the RADIUS logon. Because I had number matching turned on in my tenant, the extension was falling back to TOTP which obviously won't work with MSCHAPv2.

See this link:
https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-mfa-number-match#nps-extension

Have you read https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/routed-vti.html?

That doc suggests configuring a transit network (which could be a /30), and that the two endpoints of the transit network would be configured as ADDRESS rather than NETWORK in the P2.

You don't mention which version you're running, but if you are on 24.03, note this thread https://forum.netgate.com/topic/188214/vti-gateways-not-adding-static-routes-in-24-03/. There is a patch to address the issue of the necessary static routes not being added.

--Larry

@nzlv
Your Virtual Net Address pool is not configured correctly. The 24 should be in the drop down and not in the IP range. I have to wonder if this is somehow messing things up routing wise.

05597bd7-477f-4424-8363-271f83984494-image.png

Also, I think you may want to check the "Provide a list of accessible networks to clients" on the Mobile Clients tab.
b484b850-6638-47ec-924e-c5c866fcbdc9-image.png

@Anders-Mogensen-0 After many hours of troubleshooting, I found a "rough" unit on the network with the same IP!
But it is still strange, that disabling the WAN1 port, would make everything work as expected...