I did this so when I use OpenVPN I can also access other subnets I want that are connected with ipsec. On the PFSense I OpenVPN to, which is connected to all the ipsec tunnels, I add a phase 2 entry with local subnet of of OpenVPN eg. 10.0.10.0/24 and remote subnet of whatever is on other side. On the other side, I use the remote subnet of OpenVPN eg. 10.0.10.0/24. One site is an old Cisco RV042 I have a tunnel from my PFSense... so what I did was I added the phase 2 on PFSense, but had to create a new site to site VPN tunnel on the RV042 and just different settings for the phase 2, this is because I cannot add multiple phase 2 to VPN on RV042 - I am surprised that it worked.

Hi, Again!, I have a little question about the above configuration! I calculate mtu over ipsec tunnel and enable 'Enable MSS clamping on VPN traffic' with 1486 value! over the ipsec tunnel clinets can see 2 lans without any problem. but gre or l2tp/ipsec connection seems to have mtu problem. my clients on the remove lan uses windows l2tp/ipsec connection to connect to anther vlan on the main site over the Cisco-pf ipsec tunnel. but can not access some services like https or big object like images on http. it seems that mtu problem!? BTW, my ipsec tunnel on the cisco side runs over PPPoE connection. I set 'ip mtu' and 'ip tcp adjust-mss' in pppoe interface! Any help ?!

I did go to the 172 router and add a default route of the lower PFS... and it works, but there are a few PFS connected to each other off the lower PFS, all via OSPF. I didnt want to use static as if lower goes away, the static may blackhole and not use other ABR's.

@genesis_mp Solution was soo simple! The Servers on Datacenter 1 had a static route in the network configuration to go over the external Firewall for this kind of subnet... Changed the static routing with -p and all worked!

Hi, @syndicate604's coworker here. Could anyone confirm if there's any restriction when using IP Alias as IPsec VPN? I think we checked various things but we might have missed something. Our setup is: Hardware: XG-7100 Desktop BIOS: ADI_PLCC-01.00.00.10 2.4.4-RELEASE As @syndicate604 said everything but IPsec VPN seemed fine. The connection to ISP (via PPPoE) was up. Internet access using NAPT was fine. We'll try it again for further investigation but before doing this we'd like to make sure if it's supported setup. Thanks,

pfSense has VTI mode IPSEC - how cool is that? I'm off to play with some test boxes... :-) For anyone else reading this thread, I found docs here

To my knowledge Windows 10 does not support IKEv1 anymore at least it not listed in the artikel below and you have no GUI setting beside "automatic" which could match. https://docs.microsoft.com/en-us/windows/security/identity-protection/vpn/vpn-connection-type You should use IKEv2 or use some Third-Party Client SW on Windows.

Thanks, i will see how to create a bounty.

This is to my knowledge a limitation of the GUI. You can only choose Dual-Stack with an Interface which has both IPv4 and IPv6 assigned, a VIP is either IPv4 or IPv6. We have changed our setup to use the WAN IPv4 / IPv6 as VPN Endpoint and use VIP for the other Services, mostly for NAT which is IPv4 only anyway.

Just wanted to confirm here that the AES-GCM-crashes with AES-NI on our SG-8860 are indeed gone now on pfSense 2.4.4. No crashes since I restartet testing AES-GCM a few weeks ago.

No, pfSense can't use that style of connection for a site-to-site link. L2TP/IPsec is a mobile/remote access style, it wouldn't allow two-way communication between the LANs on either end.

Nice to see @jens9 you "solved" your issue, dont'worry about my psk, I regenerate it periodically MY vpn in truth is pfSense to pfSense, and so is very interesting about your ipsec configuration discovery, you have check this kind of behavior, and top of all, opnSense might to be working fine , better than pfSense do. Lool! Hope in meantime some developers like @jimp looks at this stranger thing about dealing with ipsec internals. Best regards.

@konstanti Sir you are truly genius ,it working for us Thank you so so much.

Oh!!! Genius... Thank you... Problem solved.

@nkamennoff Thanks for the update and the up-vote.

Thanks for coming back with the note.