No

You probably need to add tunnels so sites B and C think the remote access tunnel network is interesting to IPsec so the reply traffic from there makes it back to Site A and, from there, back to the remote client. List all your networks at the sites and the tunnels (phase 2s) you have established. And the remote access tunnel network, and whether it is split-tunnel or if it sends all traffic over the VPN from the clients.

I recently read a post where someone solved their problem right after posting here for assistance… this has now happened to me. All I had to do is add a route manually via powershell. Add-VpnConnectionRoute -ConnectionName "VPN_NAME" -DestinationPrefix "Network/Subnet" -PassThru taken from here https://forum.pfsense.org/index.php?topic=127457.0

Patch application fixed the issue! Thanks!

@domf: Enable "IP Forwarding" on the interface attached to the pfsense host. Bingo. I've been banging my head on my desk for two days, and this has solved my problem. Thankyou!

pfSense is 2.3.5-RELEASE (i386) You are not running racoon. You are running strongswan (charon). i386? It's 2018. I would guess the phase 1 is succeeding then the phase 2 is failing and one side or the other is subsequently deleting the phase 1. Impossible to tell without looking at the IPsec logs. Guidance: https://doc.pfsense.org/index.php/IPsec_Troubleshooting

The IPv4 case also works for us. With IPv4 the charon also creates packets bigger than 1500 bytes, but they get fragmented at the outgoing interface as they should and as seen in a interface dump. With IPv6 a dump on the same interface simply shows nothing for the packet in question… That's why i suspect that pfSense does not do any fragmentation for IPv6.

No you don't. 10.2.0.0/16 <-> 10.5.0.0/16 is not the same thing as 10.2.0.0/16 <-> 10.1.0.0/16

Solved by removing the RRAS in between so now DHCP and NAT live on the PfSense firewalls. Thanks for the suggestion! Also no more 24.xxx subnets for private IPs!

Thanks for that confirmation that my memory isn't faulty. The issue is consistent and repeatable, so if I get the chance I'll dig around some. I'm going to be away for a few days though so that might take a while. And, if I run out of time, I may end up just building a new VM from scratch - this one has been through the wars while I was figuring out IPSec. ps. As this is no longer related to IPSec, as such, and is more of a firewall issue, if/when I get around to updating or solving the problem then I'll post in the firewalls topic rather than here.

@Cerberus: Update: If the windows 10 client has a public IP address it works! This makes me believe it's a NAT problem. There must be a configuration error on the pfsense router, the win10 client and the pfsense router, does not agree on how NAT-T works. Remember the same windows 10 client can successfully connect to another router via L2TP/IPsec when the client is behind nat. This is working for me. I am using Win10 Home version 1709 build 16299.125 (KB4054517, Dec. 2017). There are 12 new builds, but I couldn't test them yet. If nothing got break this year, let's imagine it still works: For Phase 1 authtentication, Win10 asks for AES-256 bits-SHA1-DH 20. Just added this algorithm and it worked. For client behind a NAT, it was needed a register tweak: include REG_DWORD key "AssumeUDPEncapsulationContextOnSendRule", with value "2", at "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent". (need reboot)

Hi guys! I have the same problem. Do you have solution to this? Thank you, Peter

I can't comment on your specific case, but here are a few things I did (they may work for you, or they may make things worse!)… system > advanced > networking > all hardware offloading options: tick (disable) vpn > ipsec > advanced settings > enable maximum mss: tick vpn > ipsec > advanced settings > maximum mss: 1400 vpn > ipsec > advanced settings > make before break: tick vpn > ipsec > tunnels > edit phase 1 > disable rekey: untick vpn > ipsec > tunnels > edit phase 1 > margintime: 60 vpn > ipsec > tunnels > edit phase 2 > pfs key group: off vpn > ipsec > tunnels > edit phase 2 > automatically ping host: ip within remote subnet Good luck, and take a backup first.

OK, thanks for that. Are you aware of anything that will do what I'm after?

The following works for me after doing step 1 "test-user" Cleartext-Password := "XXXXXXXXXXXXXXX", Simultaneous-Use := "1", Expiration := "Jan 01 2020", NAS-Identifier == strongSwan Framed-IP-Address = 172.16.9.254, Framed-IP-Netmask = 255.255.255.0, Framed-Route = "0.0.0.0/0 172.16.0.1 1", Remember the Simultaneous-Use := "1" if your giving them a fixed IP. https://forum.pfsense.org/index.php?topic=130715.0