Ok, with the help of some experts we got it working. If you ipsec gives you a local network that is not your local network create a virtual ip that is that subnet. Then add a secondary ip in that network on your local computer. Add a static route on the computer. And it's up.  ;D

You can't do LAN and WAN with one interface like that, but you can do what you're describing with only WAN, no need for two interfaces.

Probably because it's getting a state leaving WAN before the VPN is up. Waiting allows the state to clear. Add a floating rule to REJECT outbound on WAN for any destination matching your remote VPN subnet(s). That will stop the leakage.

@kapara: what about under IPSEC status?  Do you have any Child SA's? or is only P1 connected? Thank you for your answer. IPSEC Status is fine and services ir running fine . No child SAS. Yes only one P1 connected right now Thank you

ok thanks.  I am struggling to find a clear tutorial for this on 2.3.

I am going to try changing the MTU to 1400 tonight. What is interesting is when I switched to 3des/sha1 from AES on the APU I was able to pass 3-4 mbit on windows file transfers compared to maximum 1.5 on AES 128/Sha1

With the new version 2.3 are we able to take advantage of all the strongswan commands? I am running 2.2.6 and I lost all connectivity to the GUI during setup of a VPN.  Since I cannot reboot (Business Hours) I wanted to check the status of the VPN's and I was able to run from shell:  ipsec status and was able to get details on all configured tunnels. https://wiki.strongswan.org/projects/strongswan/wiki/IpsecCommand Can we use this to restart the ipsec or is that not recommended?

@cmb: That's handled automatically. Well that is good but for those that come from other firewall system, it is really an abnormally.  I would be better for the system assigned rules to be shown grayed out or even in a different color and not editable.  Thanks.

I think i have found the issue. Default in IPSEC / Advanced Settings the option Configure Unique IDs as is set to yes changed this to no and restarted the VPN and now traffic is working again. previously with Configure Unique IDs as set to yes the only way to get traffic flowing again would be to reboot the PFsense box.

I just updateted my NTP settings.  Disable time sync in the VM (pfsense 2.3) and rebooted

little update… did some modifications /etc/inc/vpn.inc 1042 if (count($rightsourceips)) { 1043 $rightsourceip = "\trightsourceip = " . implode(',', $rightsourceips) . "\n"; 1044 } 1045 } + + if (isset($ph1ent['avmvirtualip'])) { + $rightsourceip = "\trightsourceip = {$ph1ent['avmvirtualip']}\n"; + } 1046  1047 if (!empty($ph1ent['caref'])) { 1048 $ca = lookup_ca($ph1ent['caref']); 1049 if ($ca) { /conf/config.xml (somewhere in phase1) <avmvirtualip>123.123.123.123</avmvirtualip> (of course, "avmvirtualip" can be replaced with anything) I think, this should be an input field in phase 1 of IPsec. Something like "Force virtualip for remote"… If devs agree, I could write a little patch to include it. Perhaps an advanced text input for more individual configs? For me, this just needs to work the next 2 weeks. But it might be helpful to others?

Time to upgrade all users to Windows 10 :-)  works great on there with the powershell command!

No changes I'm aware of in that area. Can you try some other variations of your "complex" key? Perhaps it's just one certain type of symbol in it that does not work?

Just changed the IP Range to different network and it's working :) (192.168.2.0/24)

Thanks for sharing. That would figure as I do have VPN working on my Lumia 930 and that's configured using MDM and going through a Windows Server as the VPN server. Configuring it manually for pfSense lets it connect, but no data flows through. I'll provide feedback on this issue through the insider hub as the product group does read that stuff. -edit- Giving it another thought though, how can it be that if the UI was broken, it does connect? I don't see the connection between a broken UI and it connecting, but not sending data through. Sounds more like pfSense and Windows 10 Phone not cooperating well in sharing network config. Nevertheless will share in Windows Feedback App.

Looks like you were right. They did something, probably finally enabled 1:1 NAT, and now it magically works. Thanks

@julianbros: Is it only the PfSense http/https service which is broken? Can you confirm by calling other urls from different sites? I had the same problem which was solved by enable MSS clamping on VPN traffic. MSS clamping has solved it for the complete network, thank you!

Thanks a lot then. This solves my problem.