got it fixed.  missing nat rule on PFA from internet to 10.253.253.0/24 network

Problem solved! Now i can connect my pfsense box as a client to my SoftEther server. The problem was the latest (RTM) Version of SoftEther server, which seems to have an issue with OpenVPN. After installing an earlier version, everything is working as expected.

@Derelict: Probably no and not that I know of. Make your IPsec connection from behind the firewall or use an OpenVPN provider. Thank you, I'll do that.

jcconnell did you ever get this resolved? I am having the the same issue as you are having and all my networks are setup properly. Let me know!

Hello on your phase 2 entire do you have 192.168.2.0/24 and 192.168.3.0/24 setup? or are you doing 192.168.0.0/16? Thanks

Sorry for delay! So I tested it on my end, the 2 tunnel goes up, but if I unplug one of my remote WAN port, the tunnel doesn'T switch to the other one (even if the tunnel is up…) I configure the DPD (dead peer detection), 5 sec for 5 poll, to disconnect the tunnel, it doesn't work... I am not sure if it is possible.. I guess the only way would be to setup a DynDNS or NO-IP on the remote firewall so they can update the IP between the active ISP. But IMO, it is not a good solution for a large enterprise, as in my experience, for me, SOnicwall and DynDNS is scrap, no-ip works okay but I do prefer using a direct IP

Looks like others are affected too : https://redmine.pfsense.org/issues/7801 Any chance to get fragmented UDP across IPSEC Tunnels with pfSense??

I don't think there is any reason for the P1 to even attempt a connection without a P2. There is no interesting traffic in that case. There are no connection attempts in the logs you posted. I would config a P2 and try again.

The lookups are sourced from Virt.Publ.IP because I have only one Publ.IP on IPSec-Site2 and the Ports are already in use (and I cant Change!). On Site1 I have several Publ.IP-Adresses free to use. I put the Settings of the document, but not successful. Checked Tunnel again and ist working fine in both directions. Is there anybody who did something like that already?

You need to route the correct traffic from the VPC to the VGW in AWS. Traffic from the pfSense side is sent to the VPN according to the traffic selectors (phase 2 networks).

Hello Got it to work. :) EAP-Radius means that the VPN Server will send the Authentification to the FreeRadius Server (That was not clear for me). So i can use now EAP-TLS and EAP-MSCHAPV2 with Freeradius at the same Time. Thanks Regards Alitai

Sorry to dig up an old post, but I was wondering if you ever found a solution? I have have an ongoing problem very similar to yours and like you discovered, it only seems to affect my systems that are running 2.4.2 or later. Link to previously created thread. https://forum.pfsense.org/index.php?topic=143728.0

It seems to be a regular win10 IPv6 VPN client problem. Maybe it should be solved by using link-local addresses on IPsec interface. For now I have solved the problem by creating a power shell script to create a windows VPN connection definition. The script adds route ::/0->:: Add-VpnConnectionRoute -ConnectionName $connection_name -DestinationPrefix ::/1 Add-VpnConnectionRoute -ConnectionName $connection_name -DestinationPrefix 8000::/1 The Add-VpnConnectionRoute cmdlet does not allow to manipulate with ::/0 , this is why there are two routes, for ::/1 and for 8000::/1 And how are you, who already uses IPsec on IPv6, working with client routes? Are they automatically created? Do you use link-local addresses on IPsec interface?

Its ok I figured it out…didn't have the correct rule on the IPSec Rules for the firewall...all good now thanks

Double check that you are using IKEv2 on both ends. This looks like IKEv1 with UDP Port 500 : Mar 5 16:36:52 charon 16[NET] <1> sending packet: from 78.94.x.x[500] to 80.187.96.197[500] (337 bytes)