Finally got it to work. The trick was to set 'Local Network' in the Phase 2 settings to 'Network', Address 0.0.0.0/0. I think the dropdown portion of this setting changed since 2.1.x. Traffic is now forced through tunnel. Still no banner, but that's a detail.

Glad to help. That should give you at least something to show the other side.

Did you allow ICMP in the IPSec FW rule?

Try to enable "Disable Firewall Scrub" in SystemAdvancedFirewall & NAT

many many thanks for your replay  :) ;)

Use DNS.

That is great, thanks for the help

Now iam using ipsec with android 6 (SAMSUNG) BUT WITH IKEV1 not IKev2 WITH older version it's not work.

https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN

tl:dr - I misread the guide. Hope this helps someone else. This is what I think is relevant from the logs. Jun 5 13:47:04 charon 10[ENC] <con1|364>generating CREATE_CHILD_SA response 29 [ N(NO_PROP) ] Jun 5 13:47:04 charon 10[IKE] <con1|364>failed to establish CHILD_SA, keeping IKE_SA Jun 5 13:47:04 charon 10[IKE] <con1|364>no acceptable proposal found Jun 5 13:47:04 charon 10[CFG] <con1|364>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Jun 5 13:47:04 charon 10[CFG] <con1|364>received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ Jun 5 13:47:04 charon 10[ENC] <con1|364>parsed CREATE_CHILD_SA request 29 [ SA No TSi TSr ]</con1|364></con1|364></con1|364></con1|364></con1|364></con1|364> Being new to this I took a guess that I'd configured MODP_1024 on pfSense but my phone didn't support this: pfSense: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Phone: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ I only had two values in my setup that looked like they were 1024 and realised I had read the guide wrong and enabled or left at default PFS. Disabling it seems to have resolved this.

Yes, that looks right.  Also Remember to add firewall rules allowing the traffic over the IPSEC link. Using tunnel mode on IPSEC will do the routing between the pfSense boxes.  You will just have to push the routes to the clients.  I haven't dealt with mobile clients and IPSEC in a few years, but I would guess if you try passing the /16 for routing it would work now. Then thinking about it for a bit: Also you will want to check the Phase 2 of the VPN connection to the mobile clients that the Local network represents all of your sites. so might have to change that to a /16 as well.

We have a similar issue trying to NAT incoming traffic from an AWS IPSec VPN static tunnel, out a WAN connection (see attached image and more details below). We even used the AWS VPC VPN Wizard that comes with the paid version of pfSense. Even worked with pfSense support (Netgate), but they couldn't resolve this issue for us I think there may be an issue with BSD NATing traffic from IPSec with the way that AWS VPC VPN. AWS changed their IPSec VPC VPN connection settings last year, and we started to get drop-out due to more that Phase2 entries or SAs. We removed our Phase2 SAs and got the tunnels working using routing on the AWS -> VPC ->  VPN Connection ->  "Static Routes". This fixed things for a bit. Recently AWS changed their IPSec VPC VPN connection settings again, and this caused us some real problems with pfSense. We found strange traffic when capturing packets from pfSense, or capturing packets from a device outside the WAN interface of our pfSense box. We were seeing replies to AWS IPSec NATed traffic, coming back from the Internet, that were addressed to the WAN address AND the private non-NATed IP address of the AWS system. This meant that pfSense was somehow mangling the packet and sending the private IP address out the WAN. Netgate claimed it was the fault of the system on the Internet trying to communicate with to the AWS private IP. There would be no other way for the Internet system to know the private IP of the AWS system. It seems pfSense is unable to properly NAT traffic coming from an AWS VPC static IPsec tunnel.  

Up. Any ideas? What devs can say?

I found the way: /usr/local/sbin/ipsec up <connection name="">and the connection name I can take it from this file: /var/etc/ipsec/ipsec.conf which is automatically generated. Problem now is that after creating a new IpSec tunnel via Command Line, ipsec.conf file is NOT getting updated and I cannot start my IpSec tunnel from a command. Thoughts? I already tried with these commands: /usr/local/sbin/ipsec update /usr/local/sbin/ipsec reload</connection>

Thanks, that explains it!