I tried somethings but the L2TP never worked on a second client in same remote site (same Public IP)...

I see the IPSEC connexion but I'm rejected, seems in L2TP...

Ah, should have thought about LAN bypass. Oh well. In the end I went and renumbered everything out of 10.40/16 and into another Class C 192.168.201.0/24.

I am looking forward to 2.4.4. however, routed IPSEC sounds like the real solution. This is how the Juniper SRX on the other end handled things. Creates and extra interface and you simply route down that interface.

Thanks again for the input it is appreciated.

I don't recall the history there specifically. I'm not familiar with that plugin myself. In the past, however, there were a number of strongSwan plugins that were not supported on FreeBSD or did not work properly there. It would not surprise me to find that was the case here, or that SPDs behaved in a more consistent and predictable manner.

So this worked brilliantly! Thank you so much.

Try OpenVPN for B-C, it runs pure UDP or TCP, so can work when the provider is blocking other protocols. You should be able to add the C subnet to the B-A phase2 and vise versa.

You need to add Phase 2 entries to cover the traffic between 192.168.16.X and 10.0.0.X. Those need to be on both tunnels.

Steve

https://www.synology.com/en-us/knowledgebase/SRM/tutorial/VPN/How_to_set_up_Site_to_Site_VPN_between_Synology_Router_and_UniFi_SG

Based on the article above, the settings below seem to be stable on both sides so far

Phase 1:
Encryption: AES128
Authentication: SHA1
Key life: 14400
DH Group: 14 (modp 2048)
DPD (Dead Peer Detection): disable

Phase 2:
Encryption: AES128
Authentication: SHA1
Key life: 14400
DH Group: 14 (modp 2048)

The only thing on the USG side is selecting Enable Perfect Forward Secrecy (PFS) checkbox.

Update

Been up for 19 hours solid

I noticed how the official guide says
"Users have reported issues with Windows L2TP/IPsec clients behind NAT. If the clients will be behind NAT, Windows clients will most likely not function. Consider an IKEv2 implementation instead."

Wouldn't that almost always be the case, aren't the vast majority of home networks running nat by default?
But doesn't look like a better option, as the guide mentions that mobile clients needs to download a third part vpn app. And you need to transfer ca files between clients.

Good day Folks,

Walked everything through again to figure out what’s going wrong here.

The remote subnet is 10.230.248.0/21. When I calculate this, the amount of host will be 2046. The host range will be 10.230.248.1 till 10.230.255.254. Correct me if I am wrong but 10.230.252.125 should be reachable as well, right? Very strange that I can ping and reach 10.230.252.114 but not 10.230.252.125?

Again, when I am at work, 10.230.252.125 van be pinged and the webhost is reachable correctly.

Does this make sense to anybody?

Kind regard,
Herman F.

Having a similar situation and wondering if you every resolved this, can't find much of any response or help for the issue on this forum. Established tunnel without issue to the AWS hosted PFSense from a sonic wall. Can watch the inbound pings hit the system but no progress from their or response.

@stevetoza Off-Topic but here goes. We've experienced all sorts of things with the Cisco RV325 series. Stability however isn’t one of them when running several heavy traffic IPSec tunnels. We swapped out our RV320/325's for virtual pfSense appliances. After a lengthy support thread with a very helpful Cisco support guy they swapped all our units for the new RV340 which is a significantly better hardware platform but since we've been bitten quite a few times by RV320's just going dark on us we now use them as expensive switches. SNMP showed that each time they went offline it was because of pure memory starvation. An RV325 unit with 5 IPSec tunnels and a bunch of local attached stuff would keep running for max 2-3 weeks and then would slowly die, first the web-console would stop responding (and it's already painstakingly slow) and a few hours later all the IPSec tunnels would become unresponsive. There's no automation for these boxes and we don't have managed PDU's so instead of driving to the site location to switch them literally off & back on I rolled some selenium GUI manipulation to power-cycle them every week like that. Seriously. Also had to power cycle twice because sometimes the first reboot wouldn't bring up the IPSec tunnels and when that happened they would never become active, only a secondary reboot would fix that.
Seeing your print screen of the web-console throws me back to a lonely, dark and painful place ;)

That's it! Thank you so much!

Your going to have to give us a bit more to go on vs just saying you have setup l2tp/ipsec..

https://www.netgate.com/docs/pfsense/book/l2tp/l2tp-with-ipsec.html

What client are you using?

Hi

I've done such a setup with two PFSenses. each has a seperate WAN Provider.
The other site is a single HA Vmware NSX Edge Firewall.

I made a scripts which checks the WAN Connection. If the internet fails, the script will switches to the backup PFSense and start there the VPN Tunnel.

There is nothing much you can do else.
I'm also waiting for VTI Tunnel Support on 2.4.4

Ahh.. Got it. But I have 7 interfaces LAN I have to apply this to, not just one. In the pfSense website, I found Bug 5826 that describes the problem I'm having. https://redmine.pfsense.org/issues/5826 . I'll do some research to see if I get into the strongSwan config if I might be able to do this for multiple interfaces manually.

Thanks again for the help. I never noticed the Auto-exclude LAN address feature in IPSec.

I have sort of bypassed my problem by downgrading my mikrotik routeros version, but of course that opens me up to possible exploits with may have been fixed since. I have not considered that client connecting/disconnecting could be causing this though, so I will careful note what happens next time I have a disconnect.

Hello
I've 50 phase 1 and 150 phase 2 on my pfsense server (hp G8).

CPU Type Intel(R) Xeon(R) CPU E5-2643 0 @ 3.30GHz 8 CPUs: 2 package(s) x 4 core(s) AES-NI CPU Crypto: Yes (active) Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM

The last tunnel I created is causing trouble. Phases 1 and 2 UP from time to time and when they are UP, I have no traffic passed.

I tested this vpn on a virtual machine pfsense and everything is OK.

I wonder if I'm reaching a tunnel limit. If yes, how to properly modify the ikesa_table_size value to 1024 so that it is taken into account in case of reboot / upgrade?

Thank you for your help.

Since CERT has now also made the details of this issue public, I made our Redmine issue for it public: https://redmine.pfsense.org/issues/8667