No, though I would expect Aggressive mode to allow main to work (since it's more secure), but clearly it isn't working there given that error.

You can't pick both main and aggressive in a single P1, and there isn't a way to define more than one mobile P1.

In the P1 settings set NAT Traversal to force.

That will put forceencaps = yes in the config for that tunnel.

Start your own thread.

I found it configured the encryption settings properly for phase 1 when the configuration for phase 2 was done.

Thanks for the follow up. The issue was just me not configuring the VPN properly.

C2811 is not Cisco ASA but try to follow this guide:

IPsec between pfSense and Cisco ASA: Setup cross vendor IPsec VPN sometimes is tricky, due differences in protocols implementation. There are several important nuances here:

Do not use auto-negotiation at all. Set certain parameters manually. Usually it is aes128-sha1 and pfsgroup 2 or 5 Make sure P2 settings describes exactly the same networks, because ASA demands IPsecProxyID has to be the same on both devices, one is composed from P2 networks, so that they must be the same. E.g. local:10.0.0.0/24 remote:10.1.0.0/24 on one side and local:10.1.0.0/16 remote:10.0.0.0/24 on another is wrong, even formally network connectivity is possible for them in some way. Cisco ASA uses list of policies for matching possible policy. This might make additional problem. Set certain policy on top of list, e.g. esp-aes128-sha1 pfsgroup 2 has to have 1st sequence number.

Thanks, i needed this and could make it worked too.

Here is my solution;

The vpn connection is used to call webservices (soap) of the remote site.
To check every connection I created a derived class of SoapHttpClientProtocol from which webservice references are derived and edited all service references and drived them from new class NWSoapHttpClientProtocol.

C# code

public class NWSoapHttpClientProtocol : SoapHttpClientProtocol { protected new object[] Invoke(string methodName, object[] parameters) { try { return base.Invoke(methodName, parameters); } catch { RenewLocalIP(); return base.Invoke(methodName, parameters); } } private void RenewLocalIP() { try { ProcessStartInfo processStartInfo = new ProcessStartInfo(); processStartInfo.FileName = "ipconfig"; processStartInfo.Arguments = "/release "; processStartInfo.WindowStyle = ProcessWindowStyle.Hidden; Process process = Process.Start(processStartInfo); process.WaitForExit(); processStartInfo = new ProcessStartInfo(); processStartInfo.FileName = "ipconfig"; processStartInfo.Arguments = "/renew"; processStartInfo.WindowStyle = ProcessWindowStyle.Hidden; process = Process.Start(processStartInfo); process.WaitForExit(); EventLogger.Log(LogType.Information, MethodBase.GetCurrentMethod(), "Renewed Local IP"); } catch (Exception ex) { while (ex.InnerException != null) { ex = ex.InnerException; } EventLogger.Log(LogType.Error, MethodBase.GetCurrentMethod(), ex.Message); } } }

InvokeAsync methods of SoapHttpClientProtocol can also be implemented.

No, you cannot use it with ALTQ.

You could use limiters, however.

No idea what the Mikrotik will do but, yes, both sides need to support it. Set a maintenance window, try it, and see.

Thank you by your insight @jimp. I just change the keyword on my script (to monitor VPN tunnels on zabbix) to know if the tunnel is up for "rekeying" insted of "ESTABLISHED".

If you wanna take a look: https://github.com/alanwds/zabbix_ipsec_pfsense

Thank you so much.

There isn't an IPsec traceroute exactly, but you can use hping to get a similar effect.

For example, to see how far ESP (tunneled traffic) makes it, run this command:

$ hping -0 1.2.3.4 -H 50 -d 10 -t 1

Replace 1.2.3.4 with the far side, and increase the -t value until you do not get a response. That's where it gets dropped. I see -T in the hping settings now and it might be helpful as well.

If the tunnel won't connect at all, however, that would be a simple UDP test for port 500 and 4500. For that you can probably use a traditional traceroute command with -P UDP -p 500 and again for -p 4500.

2.3.2... I just don't get this.. Why would you not be on at least 2.3.5p2? 2.3.2 is no longer supported.. And to be honest the 2.3.x line is EOL here soon.. Like tmrw ;)

https://www.netgate.com/blog/pfsense-release-2-3-x-eol-reminder.html

Thank you for the good information. I'm sure I'll succeed.

Not easily. You can make a VPN to a hostname, and if the remote peer can update the hostname when a failover happens, that can trigger a failover.

There isn't a way to use both peers at once at the moment though, not with tunneled IPsec.

With routed IPsec (VTI) you could nail up a tunnel to both peer addresses and use a routing protocol like OSPF or BGP to decide when to fail over.

@jimp said in 2.4.4 Multiple tunnels to same endpoint:

When you make a P1 to a remote peer, it adds a static route to that peer out the chosen interface.

Ah ha, that explains the behaviour!

Forgive my naivety, but why is the static route required? Is there another mechanism we could use to make sure the connection exits via the right interface? I am imagining something similar to PBR but for host traffic...

Thank you very much for your suggestion. I've reconfigured the tunnel to use VTI and since some days it stays quite stable. The routing seems to work fine for all subnets.

That is probably what the far side used to contact you. pfSense will reply back to whatever port the far side used, since it was probably run through NAT or had some other similar translation done along the way.

There may not be anything you can do about that on your side, the far side probably needs to fix whatever is changing that port.

Radius, I think the AD server can provide radius, you'll also need to set up framed ip addresses.

I use the inbuilt radius server, my user configs look something like this:-

"andy" Cleartext-Password := "xxxxxxxxxx", Simultaneous-Use := "1", Expiration := "Apr 11 2027" Framed-IP-Address = 172.16.8.2, Framed-IP-Netmask = 255.255.255.0, Framed-Route = "0.0.0.0/0 172.16.8.1 1" "Fred" Cleartext-Password := "xxxxxxxxxx", Simultaneous-Use := "1", Expiration := "Apr 11 2027" Framed-IP-Address = 172.16.8.3, Framed-IP-Netmask = 255.255.255.0, Framed-Route = "0.0.0.0/0 172.16.8.1 1"