Update: I've upgraded to 2.4.3-RELEASE-p1 switched back to IPSec from OpenVPN and haven't experienced the issue ~72hrs and counting.

Yes you are right, it works now! (in fact, in the meantime, I tried using PSK auth, and same issue with bad identifiers but error messages were more relevant for me). solution for anyone who would have this issue => use altNames values of certificates (get it with "ipsec listcerts" command) in the leftid/rightid strongswan's tunnel parameters. Thanks for your reply.

yes site 2 site vpn with ipsec

Glad you got it working. Thanks for letting us know.

We can get the VPN to connect for a little while but we can't ping through it even though we have a Firewall rule set for IPSec. Firewall rules on the IPsec tab would be for allowing pings originating from the other side. Be sure you are pinging from something interesting to IPsec, as in from a source address that is in the Local Network portion of a phase 2. You can set a source interface to something like LAN if you're using Diagnostics > Ping.

What do the logs on the Draytek say? pfSense can't tell you why the Draytek sent the delete command, only the Draytek can.

IPsec tunnels don't "route"¹ , they use Phase 2 definitions to setup Security Associations that define which traffic will be able to cross each tunnel. So you need to add Phase 2 entries to both ends of every tunnel to match every combination of traffic you hope to send across the tunnel. So if you have tunnels A-B and A-C, you need phase 2 entries on A-B to pass traffic from B-C and on A-C to pass C-B and vice versa. ¹ well, until 2.4.4 and they have to support VTI

@pfbest This is amazing! Thank you so much, it works really well.

@utilizador_estagio I created an user and installed that user certificate in my machine...but it wont work. what else can i do ?

Hello and thanks for your answer. In fact, we saw some posts on the net with this log, pointing to a psk mismatch. We made a lot (LOT) of tests with a lot of different PSK, the P1 never got up. we tried some '1234', 'test', and so on, psk's ...

@dave-opc said in [IPSec] VPN with Multi Subnets: It is possible, and it will not be with the same configuration On Company2 you create 1st P2 with local 172.16.0.0 and remote 172.16.10.0 and create 2nd P2 with local 172.16.0.0 and remote 172.16.4.0 On Company1 you create 1st P2 with local 172.16.4.0 and remote 172.16.0.0 and create 2nd P2 with local 172.16.10.0 and remote 172.16.0.0 I had tried this, but I was forgetting to change the output interface of Company 1, that is, I was making a faithful copy of the existing P2, a lot of my attention, thank you for helping me.

security group Elastic IP: All Traffic Searching the internet, I did not find anything related to pfsense in AWS providing VPN ipsec . [image: 1532344838279-screenshot-sa-east-1.console.aws.amazon.com-2018.07.23-08-19-33-resized.png]

Bingo! That did the trick. Thank you :)

Figured it out! It was a mixup on the ip's configured in the Phase 2 network settings, when using the BiNat feature.

@nogbadthebad said in IPSEC VPN between 2 sites has constant ~20k traffic. How best to find out what it is?: Have you tried a packet capture ? I didn't realize pfSense had a packet capture. Thanks for suggesting it. Now the results. I ran a quick capture on ipsec and then found the busy ip address. A quick look at the lease assignments showed me it was my Uniden Police Scanner wifi dongle. Then it hit me. I run Proscan scanner software from my office that points to my Uniden scanner to capture fire calls in my town (using the "fire tone out" feature), and then email them to me so I can hear them on my phone. I totally forgot that I had that communication running all the time, but the packet capture quickly pointed it out. Problem solved. Thanks for the tip. Roveer

@dkase279 mine prevents the tunnel from working as client machines can not ping through to my main site via the VPN. I'm going to log a call with Netgate if possible as it's preventing service. I also might put logs on here once it happens again.