Today I migrated an IPsec (with IKEv1) site-to-site setup from a pfSense machine to a Debian machine.
Since the pfSense machine was still the Internet gateway for the network, IKE and ESP packets still had to go through it. Now, I recalled something about firewalls not playing too nice with...