Thanks, it increased to about 27-28mbps average with peaks of 30mbps Any more tips to squeeze a little more speed? Thanks!

@vistatech said in routing specific packets through IPSEC gre tunnel: 10.1.1.20 Hey And why is outgoing NAT used ? Try disabling it . I have a similar scheme and everything works fine without NAT. The question such, Pfsense can ping a host 10.1.1.20 ?

Have not used sonicwall in many many years. But since I create pfx with openssl all the time and use these on other devices that are road warrior connections. IOS devices for example - it shouldn't be a problem. An openvpn client is an openvpn client in the big picture.

Or you could just use FreeRadius like I suggested and not have to mess about with text files.

@lmhaydii said in IPSec connection established and trafic is outgoing, but no ongoing response: @derelict thank you. How can I determine with certitude that thier response or thier request are not arriving to my firewall ? There is any command to show up that ? Yes. A packet capture. You have done that. That would be enough for me. If you want more certainty, pcap on WAN for protocol ESP. You will see your pings (encrypted) go out but nothing come back from their side. If you are going across NAT (NAT-T) you will need to capture UDP 4500 instead of protocol ESP.

32ms across IPsec? If so it sounds like you're getting right about what you should for a single-stream TCP session with 32ms latency and a 128KB buffer. That is probably a little high since you have the 30Mbit upstream at one end and certainly not a 1460 MSS across IPsec. Bandwidth-delay Product and buffer size BDP (1000 Mbit/sec, 32.0 ms) = 4.00 MByte required tcp buffer to reach 1000 Mbps with RTT of 32.0 ms >= 3906.2 KByte maximum throughput with a TCP window of 128 KByte and RTT of 32.0 ms <= **32.77 Mbit/sec.** You could try giving a -P4 or -P8 to the iperf client to see if running multiple streams helps. Or switch to UDP and see how high you can take the -b parameter before you start experiencing loss.

@mountainlion I'm using 1200 as MSS because it's required by my datacenter (DoS Protection)

Thanks. Turn out running an outdated pfSense version wasn't helping my case. Now I just need to figure out how to set it up so it works with Azure.

You mean like this? https://www.netgate.com/docs/pfsense/vpn/ipsec/ipsec-troubleshooting.html

Jan 11 10:21:26 charon 05[NET] <con1000|17> received packet: from 173.220.x.x[500] to 50.196.x.x[500] (380 bytes) Jan 11 10:21:26 charon 05[ENC] <con1000|17> parsed QUICK_MODE request 3356035729 [ HASH SA No KE ID ID ] Jan 11 10:21:26 charon 05[ENC] <con1000|17> received HASH payload does not match Jan 11 10:21:26 charon 05[IKE] <con1000|17> integrity check failed Jan 11 10:21:26 charon 05[ENC] <con1000|17> generating INFORMATIONAL_V1 request 3233859265 [ HASH N(INVAL_HASH) ] Jan 11 10:21:26 charon 05[NET] <con1000|17> sending packet: from 50.196.x.x[500] to 173.220.x.x[500] (76 bytes) Jan 11 10:21:26 charon 05[IKE] <con1000|17> QUICK_MODE request with message ID 3356035729 processing failed Jan 11 10:21:26 charon 05[NET] <con1000|17> received packet: from 173.220.x.x[500] to 50.196.x.x[500] (92 bytes) Jan 11 10:21:26 charon 05[ENC] <con1000|17> parsed INFORMATIONAL_V1 request 2703109558 [ HASH D ] Jan 11 10:21:26 charon 05[IKE] <con1000|17> received DELETE for IKE_SA con1000[17] Jan 11 10:21:26 charon 05[IKE] <con1000|17> deleting IKE_SA con1000[17] between 50.196.x.x[50.196.x.x]...173.220.x.x[173.220.x.x] Jan 11 10:21:26 charon 05[IKE] <con1000|17> IKE_SA con1000[17] state change: ESTABLISHED => DELETING Jan 11 10:21:26 charon 05[IKE] <con1000|17> IKE_SA con1000[17] state change: DELETING => DELETING Jan 11 10:21:26 charon 05[IKE] <con1000|17> IKE_SA con1000[17] state change: DELETING => DESTROYING Your side does not like the traffic selector in the P2 being sent by the other side. Please send the output from each of these on each node - the one that's working and the one that isn't: swanctl --list-conns swanctl --list-sas cat /var/etc/ipsec/ipsec.conf Send them in chat or I can send you a nextcloud upload link.

@konstanti The secondary Peer with the 96.65.x.x address is the office we setup to test the connection. The 96.65.x.x is the address for the SG-3100 that works, while the 50.196 address is the SG-3100 I'm having trouble with. The 173.220 address is the address for the Cisco router.

@sgw said in IPSEC tunnel config works on 2.4.3p1, not on 2.4.4p1: seems like: we then tried swapping pfsenses again and additionally rebooted the Hitron "modem" in front of the pfsense. Tunnel came up immediately. So I assume there are some MAC-based filters built at bootup or something like that. Right. On the modem. You always have to reboot an upstream ISP device when you change the hardware behind it. Or at least it's a good idea especially if you have problems changing devices around. I usually: Disconnect the WAN patch cable between the modem and the WAN port Power cycle the upstream device and let it sync up and "go green" again Connect the modem to the new WAN port. This is primarily for normal US cable modems. Any ISP "Residential Gateway" might have other requirements.

Hello, I have the same problem. @jimp : i don't understand your solution. Can you explain me with more details please ? I made a schema : [image: 1547127771405-pfsense.png] thank you very much if you can help me because I'm stuck. Ludo.

Have a look here: https://forum.netgate.com/topic/95361/solved-cross-platform-ikev2-vpn-no-dns-on-linux-mac-ios/7 Note that the basic problem of Split DNS with Split Tunnel in IKEv2 is work-in-progress regarding RFC standards. https://tools.ietf.org/html/draft-ietf-ipsecme-split-dns-16

That is correct.

If you have the same subnet as the other side, both sides have to NAT to something else, else one side will think the other side is actually on its local subnet.

Hi, your machines uses s.o windows ? in that case turn off the firewall each and check pin to the other machine