I'm really not a VoIP guru, but whenever I have this behavior (calls dropped after a time-out), it is when there is a wrong NAT behavior somewhere.  The PBX side would be receiving packets where the source IP at network & transport layer doesn't match the IP declared at the SIP application layer Could it be that it was working before because your PBX setting was "easy" and therefore you were not noticing this NAT issue? Can you check on the PBX to see the source IPs of the stations registering, and check the tables for the registered extensions, and see if there is a match?

I've done OpenVPN to NordVPN (I've even played around with 4 tunnels and load-balancing on the 4 tunnels) But haven't been able to configure IKEv2 towards NordVPN.  I read the guides you mentionned, but from what I read, MSCHAP can be configured for an IKEv2 server on pfSense, not an IKEv2 client on pfSense.  The guide on IKEv2 that you linked to is written for a IKEv2 server on pfSense, and remote clients like IOS or Android. Here's what I did: download root certificate from NordVPN convert to PEM format import as a CA in System->Certificate Go to VPN->IPSec and setup a sit to site tunnel. However, in the authentication box, either I see "Shared PSK" or "RSA" I have tried both settings, selecting the Root NordVPN cert for the remote in the "RSA" mode, or using my NordVPN password as the pre-shared-key when in "PSK" more When I go to the status page, and click "connect", it goes back to the "disconnected" state almost instantly.  When I check the logs, I keep getting an authentication failed reply from the NordVPN server. I might be missing something, though  :o

My goal is the network from Site A (10.1.1.x/24) able to reach the network at Site C (10.3.3.x/24) regardless the traffic from A will be NAT to site B and will carry the IP Site B (10.2.2.x/24) instead. Also the same for Site C whereby it will carry the Site B IP in order to communicate with network on Site A. Site A (10.1.1.x/24)<–---------> Site B (10.2.2.x/24) <-----------> Site C (10.3.3.x/24)                               IPSEC & NAT                              IPSEC & NAT Probably the above illustration perhaps may give you some idea. Thank you in advance.

Had a look at the file /usr/local/etc/strongswan.conf using grep "28675" strongswan.conf | hexdump -C and it looks like it just puts a newline at the end of the line so can't imagine this is a pfsense bug. 00000040  4c 45 41 56 45 4d 45 48  45 52 45 0a              |LEAVEMEHERE.| 0000004c Any suggestions to try and work out where the bug is ?

Because we don't want to use certificates on clients like iOS. Authentication should be based on Windows AD only. When we need to use certificates, we can also use OpenVPN which we are testing at the moment. But also there I got stuck, cause I can't reach devices in LAN, but I created a post in the OpenVPN category for that case.

Could you elaborate on your question? Trust me, I've been fed up about ten trillion times too ( ;) ) but - HAProxy aside (which I don't use nor know about), I have W7 and Android too, and it is doable, even easy, if only the documentation were a little bit clearer. I can try to help you.

After some digging, I would say this is rather a NAT/routing issue than IPSec. Installing one more PfSense lets call it PF2 and the original PF1. Settings as follows: PF1(LAN): 10.0.1.1 PF1(OPT1): 10.0.2.1 PF1(WAN): x.x.x.x PF2(LAN): 10.0.1.2 PF2(WAN): 10.0.2.2 (gw: 10.0.2.1) (the OPT1 on PF1) On PF1 adding static route to Remote subnet (192.168.0.0/16) with gw to 10.0.1.2 (PF2). I'am able to access remote subnet from LAN on PF1. So accessing remote lan from PF1 LAN route is: PF1(LAN) –> PF2(LAN) --> PF2(WAN) --> PF1(OPT1) --> IpSec tunnel Everything is working as expected but doesn't seem right, is there a way to achieve the same functionality without involving PF2 ? I was also able to make it work with an OpenVPN server with /28 subnet, I could NAT on IpSec phase2 so OVPN clients access remote LAN, but not from LAN directly. Best regards.