Well, you need the reciprocal phase 2 entry.

Today we had another disruption preceded by a lot of these log entries: 2017-08-29 08:29:55,Daemon.Info,10.3.1.2,Aug 29 08:29:55 charon: 13[ENC] <con2000|5> generating INFORMATIONAL_V1 request 817940652 [ HASH N(INVAL_HASH) ] 2017-08-29 08:29:55,Daemon.Info,10.3.1.2,Aug 29 08:29:55 charon: 13[NET] <con2000|5> sending packet: from *.*.*.254[500] to *.*.*.66[500] (76 bytes) 2017-08-29 08:29:55,Daemon.Info,10.3.1.2,Aug 29 08:29:55 charon: 13[IKE] <con2000|5> QUICK_MODE request with message ID 1339927066 processing failed 2017-08-29 08:29:59,Daemon.Info,10.3.1.2,Aug 29 08:29:59 charon: 13[NET] <con2000|5> received packet: from *.*.*.66[500] to *.*.*.254[500] (172 bytes) 2017-08-29 08:29:59,Daemon.Info,10.3.1.2,"Aug 29 08:29:59 charon: 13[IKE] <con2000|5> received retransmit of request with ID 2091090257, but no response to retransmit" 2017-08-29 08:30:03,Daemon.Info,10.3.1.2,Aug 29 08:30:03 charon: 13[NET] <con2000|5> received packet: from *.*.*.66[500] to *.*.*.254[500] (172 bytes) 2017-08-29 08:30:03,Daemon.Info,10.3.1.2,Aug 29 08:30:03 charon: 13[ENC] <con2000|5> parsed QUICK_MODE request 1339927066 [ HASH SA No ID ID ] 2017-08-29 08:30:03,Daemon.Info,10.3.1.2,Aug 29 08:30:03 charon: 13[ENC] <con2000|5> received HASH payload does not match 2017-08-29 08:30:03,Daemon.Info,10.3.1.2,Aug 29 08:30:03 charon: 13[IKE] <con2000|5> integrity check failed</con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5> Other log entries that looked suspicious are: 2017-08-29 08:40:39,Daemon.Info,10.3.1.2,Aug 29 08:40:39 charon: 14[ENC] <con2000|5> generating INFORMATIONAL_V1 request 3211985302 [ HASH N(PLD_MAL) ] 2017-08-29 08:40:39,Daemon.Info,10.3.1.2,Aug 29 08:40:39 charon: 14[NET] <con2000|5> sending packet: from *.*.*.254[500] to *.*.*.66[500] (76 bytes) 2017-08-29 08:40:39,Daemon.Info,10.3.1.2,Aug 29 08:40:39 charon: 14[IKE] <con2000|5> QUICK_MODE request with message ID 3438183006 processing failed 2017-08-29 08:40:47,Daemon.Info,10.3.1.2,Aug 29 08:40:47 charon: 10[NET] <con2000|5> received packet: from *.*.*.66[500] to *.*.*.254[500] (172 bytes) 2017-08-29 08:40:47,Daemon.Info,10.3.1.2,"Aug 29 08:40:47 charon: 10[ENC] <con2000|5> invalid HASH_V1 payload length, decryption failed?" 2017-08-29 08:40:47,Daemon.Info,10.3.1.2,Aug 29 08:40:47 charon: 10[ENC] <con2000|5> could not decrypt payloads 2017-08-29 08:40:47,Daemon.Info,10.3.1.2,Aug 29 08:40:47 charon: 10[IKE] <con2000|5> message parsing failed</con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5> 2017-08-29 08:43:06,Daemon.Info,10.3.1.2,Aug 29 08:43:06 charon: 05[ENC] <con2000|5> generating INFORMATIONAL_V1 request 1187213230 [ HASH N(INVAL_HASH) ] 2017-08-29 08:43:06,Daemon.Info,10.3.1.2,Aug 29 08:43:06 charon: 05[NET] <con2000|5> sending packet: from *.*.*.254[500] to *.*.*.66[500] (76 bytes) 2017-08-29 08:43:06,Daemon.Info,10.3.1.2,Aug 29 08:43:06 charon: 05[IKE] <con2000|5> QUICK_MODE request with message ID 879409864 processing failed 2017-08-29 08:43:07,Daemon.Info,10.3.1.2,Aug 29 08:43:07 charon: 05[NET] <con2000|5> received packet: from *.*.*.66[500] to *.*.*.254[500] (172 bytes) 2017-08-29 08:43:07,Daemon.Info,10.3.1.2,"Aug 29 08:43:07 charon: 05[IKE] <con2000|5> received retransmit of request with ID 2426813154, but no response to retransmit" 2017-08-29 08:43:14,Daemon.Info,10.3.1.2,Aug 29 08:43:14 charon: 05[NET] <con2000|5> received packet: from *.*.*.66[500] to *.*.*.254[500] (76 bytes) 2017-08-29 08:43:14,Daemon.Info,10.3.1.2,Aug 29 08:43:14 charon: 05[ENC] <con2000|5> parsed INFORMATIONAL_V1 request 3155446242 [ HASH D ] 2017-08-29 08:43:14,Daemon.Info,10.3.1.2,Aug 29 08:43:14 charon: 05[IKE] <con2000|5> received DELETE for ESP CHILD_SA with SPI a559aaa0 2017-08-29 08:43:14,Daemon.Info,10.3.1.2,"Aug 29 08:43:14 charon: 05[IKE] <con2000|5> CHILD_SA not found, ignored"</con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5>

found out! I have manual outbount NAT, so I needed to create a NAT rule from the IPSec subnet to the WAN interface

Sorry for the uneccesary Post, got it to work thanks to this documentation. https://forum.pfsense.org/index.php?topic=83321.0 It seems like in pfsense 2.4.0 I still have to set: Add a system tunable net.inet.ipsec.filtertunnel=1 (this may not be required any longer) Well anyways it works now

It looks like the only option there is RADIUS, not LDAP. Maybe try setting up AD NPS and a RADIUS authenticator instead. https://doc.pfsense.org/index.php/L2TP/IPsec

LOL Pfsense does funny things.

LOL, I dont know what it was, but I recreated it and connected just fine. I can browse the internet and access remote local data. Perfect. It's knocking out a VPN, gotta see why this is happening.

I just tried this, not working lol :(

I have a sophos utm VM in my lab. IPsec between it and pfSense work fine.

I'm now able to create a tunnel between my PFSense, Macs and Iphone with IOS 10. Thanks to https://blog.andregasser.net/en/how-to-configure-ipsec-vpn-on-pfsense-for-use-with-iphone-ipad-android-windows-and-linux/ I'm still not able to access the nework behind the firewall. If I cannot find any answer with the search engin, I'm going to create a new subject.

Hi, thx for this reply. Unfortunately à changed the lifetime P1 et P2 to the values you suggested, but I've the same message. The Auto Update is in process. Let see …

Ok, but I seem to not be able to have QuaggaOSPF and OpenBGP installed, and I am not able to tear down our OpenBGP configuration and move to Quagga without taking serious down time.

Not sure why but the config change was never picked up even after restarting the service. Rebooted the firewall and it's now sending the clients the right subnet so probably something is cached and not reloaded on restart.