I changed on the Phase 2 on both ends:
Local network: "Network" and not "XYZ subnet"
And i disabled Hardware checksum offload.

Now i am able to reach the shares at least of one of the windows 10 machines. The other Machine still has a bitdefender firewall running, that i try to turn of, to see if that also works.

EDIT:
I was able to turn of the Bitdefender firewall again. Voila: Shares are accessible through Tunnel.

So for all Virtual Machine driven pfsense installations on Qnap: Turn of Hardware checksum offload and in IPsec tell him exactly what networks you are running. Do not trust the "XYL subnet" option.

what about just bring up another ipsec tunnel to the other location(s) that would need to access?

DOH!!

Thanks for the second pair of eyes. It was the remote network was set to address instead of network.

Changed that and all is working well. :)

So, after trying a lot last weekend I finally have this working. As always, RTFM helps a lot.

One problem was that I used the server cert instead of the CA cert in the client, another problem was that I somehow put in 0.0.0.0/24 instead of 0.0.0.0/0 as described in the manual. In hindsight I really don't know what I was thinking.

My issues were related to the transport network. It seems regardless of the transport network's mask (we tested with /30) it treated it like a /24. Once we moved to using a separate full 24 for each IPSEC tunnel OSPF came right up.

Thank you for all of the help, this made my life a lot easier.

I pushed a fix for that just now, give it a try when the update shows up

That particular error was because the aliases section of the config was empty. I saw a few more similar pitfalls and fixed them all.

@godfried84 said in ipsec tunnel with nat at 1 site:

Site A
Phase 1
My Identifier: IP address: manually set to WAN IP of Router/Firewall of ISP site B

Why would you set my identifier to be the IP address of the other side?

Figured out a shellcmd was hanging after update that was stopping the service from starting on it's own.

It's all routed, you can setup as many static routes as you want or even using a routing protocol like OSPF or BGP. No need to specify the networks to carry in IPsec at all.

You could also do this by supernetting the phase2 if your local/remote networks are all within a non-overlapping range.

In your example you could use 192.168.4.0/22 (192.168.4.0 <-> 192.168.7.255) for your local subnet on the phase 2, and 192.168.8.0/21 (192.168.8.0 <-> 192.168.15.255) for the remote subnet on the ipsec tunnel.

You would then just create firewall rules at the ipsec level to govern the /24 subnets within those networks and how they talk to each other.

I am disappointed in this forum because not one suggestion was offered. Usually, community support for stuff like this is pretty good.

Regardless, I figured it out myself. This thread can be considered closed.

Alright, that’s clear.
Thanks Jimp for the quick reponse.

Yes, IPsec works fine with HA, the IPsec tunnel is bound to a CARP VIP, and whichever node holds MASTER status on the CARP VIP will carry the tunnel.

Jimp,

Yes problem is resolv, after deleted route static, removing the VTI gateway and reboot.

Thanks for the helps

fred

That's up to what the Draytek supports. DES has been broken for ages, it should never have been in use in a modern environment. If the Draytek supports AES-128 or better, use that. Failing that, at least use 3DES.

Possibly, yes. With a single tunnel there is a chance you'd see improvement. Beyond that it's difficult to say without testing it.

There is Regedit Entry to change and then you have to create the VPN Adapter over Powershell.

https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients

For IOS you need a mac (dependig on your setup).

I try to make a whole Guide for a setup when i have time.

Regards
Alitai