EV wouldn't be any different in that regard.

As you said, not much to go on… Check the IPSEC Phase 2 lifetime.  They must match on both ends. Beware that not all vendors describe the lifetime in the same units (seconds, minutes or hours), so be sure that you are comparing apples to apples. The phase2 lifetime can also be specified in amount of data transferred.  Again, they must match, but don't use time and amount lifetimes at the same time, that gets confusing.

@cmb: Where local subnet is "LAN", it only allows to the LAN subnet. Set that to 0.0.0.0/0 instead to send all traffic across the VPN. Thank you very much, that resolved the problem. It totally makes sense too, can't believe I didn't notice that.

Did you read the warning at https://doc.pfsense.org/index.php/L2TP/IPsec ? Drop L2TP/IPsec and go for IKEv2 https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

You cannot do what you're trying to do: https://forum.pfsense.org/index.php?topic=90753.msg504731#msg504731 Install and setup NPS/IAS on your AD server. Add it as a RADIUS server to pfSense. Then use EAP-Radius for authentication.

@cmb: Does the a.a.a.a/24 and b.b.b.b/24 match what you would expect? It should only generate that response if those subnets don't match the config. It matches perfectly, also in the log fragment it actually fails. I just can't understand why it works fine for hours with multiple phase2 rekeyings gone well and then all of a sudden it should not match anymore? Can both sites initiatie a phase2 rekey? From what I have seen now it's alway strongswan rejecting the Fortinet TS after a while, but initial the connection works fine initiatited from both sites. For one connection I ended up with a phase1 lifetime of 28800 and a phase2 lifetime of 86400. In that case a rekey of phase2 should never happen. So far it seems stable, but only one day had passed so far.

The connections are identified by the conXX entry in the log line. Can match that up via 'ipsec statusall' output or checking /var/etc/ipsec/ipsec.conf if you aren't sure what's what. The bulk of the logs are the same things expressed somewhat differently given it's a different keying daemon, but nothing difficult to grasp if you understand IPsec (which was a requirement for racoon's logs in 2.1x and earlier anyway). We'll probably bring back the connection description in the GUI log display at some point, but it's not a major usability hindrance.

FIXED: Thanks for the replies. I can confirm that the reason was due to the fact that our key had a space character at the end. This page is very helpful: https://doc.pfsense.org/index.php/IPsec_Troubleshooting

I know how automatic rules turn into manual ones. My question is what created the automatic rules in the first place (IOW, what's their root cause?), in particular since they only appeared at one site, without a difference between the sites that could explain them (to me).

Yeah I've double checked all of that, the client doesn't want to upgrade yet because he is afraid of it causing issues.  But i think that may be the only choice

@jimp: I don't have the link handy but someone else here on the forum posted that they were able to get the powershell command to work to allow for split tunneling. That may have been on Windows 8, though, I'm not sure if it also works on 7. It's worth a shot though. The powershell commands are only for windows 8/10. No luck on 7. It seems the only way this can work with windows 7 is. Route all traffic over tunnel (Use Default Gateway on Remote Network selected on windows 7 client) Add Routes manually when connected to VPN Client

So in my case doesn't show me any relevant information :(

And importantly…add firewall rules... [image: 13_Screenshot_at_Dec_04_08_22_25.jpg]

I use Shrewsoft on 10.11.1 because I also use Windows 10 which allowed me to standardized my firewall settings and clients configurations for both platform.  Here's 10.11.1 I used as late as 12/02/2015 - http://nubisnovem.com/el-capitan-solution-mac-os-x-10-11-and-shrew-soft-vpn-client/ I added my configurations for Firewall and Client via screenshots here - https://forum.pfsense.org/index.php?topic=102825.0  - this works and is used for both Windows 7-10 and latest MAC OS X