Thank you very much! Your solution fixed my problem! I missed to add the tunnel network to the remote networks on site B.

@mhmz does it make any sense sitting on proxy server with deactivated aes-ni ?

@alexandre-angeli said in IPSEC perdendo conexão: A IPSEC fica offline enquanto não usa, e comprovei o correto funcionamento, quando pingo ela "levanta" novamente. Hmmmm, mas: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/keep-alive.html

[image: 1602793762710-1a3034a0-a3b0-4adf-be66-231891d71266-image.png]

@coldfix if you’re looking for control plane protection (or policing) a different brand of FW would be needed as PFsense does not have any mitigation for that.

@nash27 said in Health Checks for PfSense: route53 healthchecks Don't those check from multiple locations? If your blocking access to where those checks are coming from - then yes they would fail. I would assume that if your opening 443 on pfsense to the internet for managment, you would have that locked down to specific IPs - atleast that is what any sane person would do ;)

@sramsterdam showww, obrigado por compartilhar sua solução.

@toddwebnet Did you ever find one you like? I have the same use-case.

Thanks.

@maverickws have you checked iperf3 speeds between pfsense and xcp-ng itself? Mine is bad. Additionally from pfsense to xcp-ng it has many retries during transfer

Only installed Ntopng, don't have any other packages besides the ones already pre-installed on Pfsense. 35 GB. 4GB RAM and 4 CPU cores.

It can depend on the switch/router on the other end of the cable. For instance with Comcast routers often when replacing a router in an office (inside the Comcast router) I've found it's fastest to power off or reboot the Comcast router so it learns the IP has a new MAC. If you have the second router on, and are just plugging in cables, I would wonder if restarting the second router (or just leaving it off and powering it on) would help. But overall CARP set up properly works basically instantly so that would be preferred. https://docs.netgate.com/pfsense/en/latest/book/highavailability/index.html

@pfuzer pfsense with pfblockergng-dev and suricata

Ah es funzt u sieht schon viel besser aus :)

@CodeNinja said in How to setup a second local network for an IPSec connection?: I'm also curious if its preferred/best practice to use "supernet" or this "multiple tunnel" construction like i currently do. In many bigger scenarios, I see "supernets" or bigger CIDR masks to simplify tunnel deployments. Especially in centralized structures with one or two "main" sites with big uplinks and many small/branch offices network design often tends to do sth. along these lines: Roll out big network structure on main(1) -> e.g. multiple 172.19.x.0/24 networks for security segmentation Dial Up / RAS VPN uses IP ranges either from an upper 172.19.x segment or another IP range altogether (e.g. 192.168.vvv.0/24) Branch offices use separate range -> e.g. 10.10.bbb.0/24 for office 1, 10.20.bbb.0/24 for office 2 (or 10.11.bbb.0 if you have a whole lot of branch offices). With that setup, you can easily do tunnels from "main" to "site a" with <172.19.0.0/16> <-> <10.10.0.0/16> and have no problem whatsoever to grow in either space. If you have the need for new networks on site or on in the main location - just add another VLAN with /24 and as your tunnel is set up with /16 it already includes the new networks. So yeah, pretty common to use CIDR ranges bigger than your local network to add some "space to grow" lateron. I also noticed this morning that one of the connection had 8 tunnels where i expected only 4. 5 are duplicates from eachother and 1 is missing.. That seems strange. A duplicate can (and will) happen at times, when rekeying gets near and the lifetime is about to expire. Then it's pretty normal to sometimes see every phase with a second entry as the old one gets "disabled" (but not disconnected) and the new one takes over so the rekey/lifetime turnaround goes smooth. You then see new traffic accumulate on the newer P2 and the old one won't get any more and after expiry should vanish a few seconds/minutes later. But having the same phase 5 times is strange. And some were brought up only seconds after another. Weird. I'd disconnect the whole bunch and reestablish the tunnel and check if that happens again. Perhaps something with the edgerouter on the other site? Maybe setting the split option in P1 of the connection could help if pfsense tries to group the connection but the edgerouter doesn't support it (fully) - but that's just a guess.

Hey, ich habs jetzt hinbekommen, also nicht selber :/. Mein Freund hat mir geholfen und es geht jetzt. Vielen dank für die ganze Hilfe. LG Mathias