Yes but the type of encryption can easily be tested after configuration in general and otherwise the article is up to date (and still working). But yes the article could be upgraded in respect of encryption.

I guess I got it -> it was a problem with the package HA-proxy. After uninstalling it, I don't have those effects.

Thanks.

The FTP is already in passive mode. But before the migration, they have any problem to transfer files with FTP via IPSEC and i am wondering where is the issue and if a new thing is here with this new version.

The raw output of 'ipsec statusall' would be helpful.

Thank you!

OK, so if I specify a Group Name in iOS, the request becomes aggressive.  It still fails at: May 10 12:06:15 charon: 06[IKE] <15> found 1 matching config, but none allows XAuthInitPSK authentication using Aggressive Mode May 10 12:06:15 charon: 06[CFG] <15> looking for XAuthInitPSK peer configs matching 192.168.XX.XXX…70.196.XXX.XXX[VPN] From VPN: IPsec: Edit Phase 1: Mobile Client - Phase 1 Proposal: Authentication method - Mutual PSK & Xauth Negotiation mode - Aggressive My Identifier - My IP Address Peer Identifier - Distinguished Name - VPN Pre-Shared Key - XXX What am I missing?

I think I figured it out…..very stupid, of course. It seems that if I ping the remote LAN subnet, the tunnel will come back up by itself. I suppose I could set the auto ping IP to the remote LAN IP and that should keep it up. I unfortunately don't have control over the other end (and the admin's that do are very incompetent) so I can't change to IKEv2 on the remote end. Would enabling 'Make before Break' have any effect?

Were you able to find a command to enable/disable IPsec tunnels from the CLI? I would also like to know if there is a way to do this, because I would like to implement an IPsec multi-WAN failover.

That won't work.  I need to be able to set up pfsense as a client but using the ipsec instead of openvpn settings.

PFS keygroup 2 (1024bit) is rumored to be possible to break with NSA like budget. The PFS keygroup 5 should be fine as of now, higher PFS groups get really slow. For the symetric ciphers like 3DES and AES128 there is no real world break known, but as AES128 should be faster than 3DES you should use AES. The hash does not matter as it is used for integrity check to my knowledge, at least if you are not using preshared key which you should not do. Regards Andreas

No, unfortunately. Bought an ERLite-3 instead, lived with ~250 Mbps for a bit, and then decided that VPN is not worth all this trouble.

Hi ! Have you solved it ? Reading your post I remembered I had problems with ShrewSoft client. What fixed it for me was the setting NAT Traversal: Force  ( in mobile clients / advanced ) LP, Miro

Never mind I am blind haha ;D