The combo isn't a problem, it just can't be accelerated to the extent that AES-GCM can be. Refusing AES-CBC with SHA isn't a solution to that.

GOT IT, the problem was in front of my eyes on the Mikrotik. Under IP > IPSec on the tab Policies, the tab Action of my policy had a default proposal instead of the proposal that i configured. Changed and now is everything perfect again :D :D :D

Apart from the bug with 2.3 and IPSEC + OpenBGP, my tunnels all work fine with Juniper. I terminate them on MX routers (using MS-MIC-16G). What is the config you are using on both ends?

I was setting up my first VPN today with pfsense 2.3 and had a similar problem (I could access any machine on the LAN, but I couldn't route anything to the Internet).  I turned on the Unity plug-in and things appeared to be working on the client, however, I suspect they weren’t working correctly.  If you look at Status->IPSec and then “show child SA entries”, on the right side you will see Bytes-In and Bytes-Out.  When I turned on the Unity Plug-in, Bytes-Out was zero as long as I tried to access anything on the Internet.  It only increased when I accessed a machine on the LAN.  My guess is the Unity Plugin directed the client to route Internet traffic locally instead of over the VPN.  Since I’m a complete noob with IPSec I don’t know that my conclusion is correct at all.  However, I’m guessing something wasn’t right… After playing around and trying a lot of different setting I found a setting that seems to work, but I don’t know what it’s really doing (I saw this in someone else's configuration).  In the Phase 2 settings there is an option for “Local Network”.  If I set this to “Network” of 0.0.0.0/0 the VPN appears to work, and the Bytes-Out increment on the Status page (after turning off the Unity Plugin). Again, I’m a complete noob with IPSec so I’m not sure what I did by setting the Local Network to 0.0.0.0/0.  Could someone that understands this better explain?  So far the only way the VPN appears to work (for me) is by either setting the Unity Plug-In or by setting the Local Network to 0.0.0.0/0.  I’m not sure which is better, or if I should turn off both options and keep looking at other settings.

@jimp: Where exactly is 10.64.224.177 defined? In an IPsec Phase 2 entry? Yes phase 2 entry in ipsec.

Just wanted to circle back on this issue, I've since upgraded to pfSense 2.3.1 on the same hardware config. I've tried switching to SHA-256 hash option for my Phase 2 and can now say that it works. I'm not sure what in particular has changed in strongswan between 2.2.6 and 2.3.1 that is allowing for it to now work but it does.

@shpokas: found 2 matching configs, but none allows XAuthInitPSK authentication From my experience this means that there could be a problem with the peer identifiers. Strongswan is very strict about identifiers. Stefan

Ok, after hours on end I found the problem: SHA256 in P2 doesn't work. As soon as I changed it to SHA1 (or MD5, but I will not use that!) everything started working perfectly. Can't test SHA384/512 because the client doesn't support these. The phenomenon was: netstat -sp esp showed all "packets dropped; bad ilen". Hope this helps, but it would be interesting to find out why SHA256 is not working. Stefan

I've managed to get this working, even though I'm not gonna use it anymore. I don't really have a dynamic IP, but a failover situation, in which it might swap between two different static IPs. So, I'm using a previously existent, publicly trusted cert from my company. It has no IPs set as SAN (only a wildcard as DNS name), and it has client/server authentication in its EKU. I've done so many things to make it work, that I might be forgetting something important, but I remember that importing the server cert into the "computer->personal" (don't ask me why) folder was key to make it work. Probably there's a better way of doing this. One thing though: I've been doing preliminary tests by switching the IP resolution directly in my hosts file. Didn't get to the point of using DDNS.

Hi, I just wanted to add some more info about my config : the two pfSense servers were upgraded from version 2.2 when I get the connection "Established X seconds…" (but no trafic) I also had "Bytes-in" and "Packets-in" to 0 on one side (pfSense1) and "Bytes-out" and "Packets-out" to 0 on the other side (pfSense1), while there was data for the opposite packets-in/out Thanks for your help, Hakim

I'm deeply sorry, but I can't understand a word you are saying. Could you please rewrite the post?

Also, I am hooking up to a Edge router on the other side. It seems that edgeOS supports VTI (Virtual Tunnel Interface) for IPSEC. When will pFsense support "routed IPSEC"? If it is routed, I believe we can treat links as gateways and do load balance and failover correct?

sorry, thank you very much. More than two weekends looking for solution. Thanks again

Right, there is no connection from client to client. Anything other than a /32 would imply the host could talk to other hosts on that network directly, which isn't possible in any mobile IPsec context.

@moterpent: Probably not the problem, but thought I would mention the following.  I'm pretty sure this was fixed in 2.3.1, but some people that upgraded to 2.3 from 2.2 with ipsec configs, had an issue where more than one instance of ipsec/strongswan/charon was running.  I had the problem. That's definitely fixed in 2.3.1 and newer. For those who hit that, it impacted new configs exactly the same as upgraded ones.