@lctech Allowing to select multiple servers for your use case (load balancing, high availability) could be easily implemented because strongSwan can do that already. I opted against allowing multi-selection in April because in my understanding multiple defined servers would mean asking each of them in turn, which is what the xauth-generic script does. So the selection there would have been ambiguous.

Not that I've seen or heard of. Check status on both sides, including the SPIs under Status>IPsec, SAD tab, which should match. Make sure you have DPD enabled on both sides. Beyond that, would need IPsec logs from both sides a bit before and after it stops working.

Guide is on the wiki linked already. It works in some cases, not in others, all depends on the client. No better or worse on 2.2.5 than other 2.2.x releases. Some clients are OK, others (Like Windows behind) are not. IKEv2 is the best way forward. Ignore L2TP/IPsec if at all possible.

Unfortunately that isn't possible with policy-based IPsec. It will grab anything and everything that matches the Phase 2 network(s), and will only accept traffic that matches the Phase 2 network(s). If we ever gain route-based IPsec (which we may, eventually, lots of us would like to see it) then it would be possible if both sides can do it.

I cannot see what suggestions exactly you expect. There have been shitloads of complaints about strongswan since 2.2 release. If you want a stable VPN, ditch this IPsec thing. Waste of time. (And. if throughput it your concern, then sorry to say but Alix is NOT a fit for purpose device in the first place. As noted above, with AES128 and cryptodev, the difference is absolutely marginal. If it was "pretty big" then you need to configure OpenVPN properly.)

I may have found my problem…looking like apinger and the draytek router. I'll report back if no avail. Cheers

Nothing was wrong - it works! Menu: Status - IPSec: Disconnect/Reconnect have to be used! Uwe

Thanks for the follow up. The ones that were working had to have been initiators rather than responders in that case, as your modem likely was only blocking inbound, not outbound, traffic.

@David_W: If possible, I would try to edit the configuration to reduce the maximum packet size needed. Indeed, ipfire is almost certainly doing something wrong, or has a poor config, where it's sending 10000+ bytes there. What David noted will work around the issue, and we ought to have that available as a tunable value. But you should really figure out why that's happening and fix the config on the ipfire side.

Upon looking at this further, I can see that the phase two entry I setup is not coming up as the rest of the tunnels are. I have verified, by turning on logging on the pass rule on the LAN interface, that my traffic is hitting the PFsense box and that the traffic is being passed. What I can't find a way to see, is where that traffic goes. Why doesn't the phase two entry come up after matching that traffic. I am digging into the IPsec logs, but it's difficult to read. there are a few tunnels working already, so there is a bunch of stuff in there.

problem solved… I have a misconfig @ Virtual IP.... silly me...

@almabes: I'm experiencing something similar, I think.  I have pfSense support engaged to help figure it out. Do you have any perceptions to that issue meanwhile?

https://34643faf-a-9102fed9-s-sites.googlegroups.com/a/bstecnologia.com.br/imagens/arquivos-para-upload/IMG_20151111_161030415.jpg?attachauth=ANoY7cqQDnOTgXRFUmN2UC-2mao86pTqi0Ae5ZYXInu5meFlPh8zVWkCT6Saqj2uQscr7ca0f_9–-seko4TsW78xlRGvfDJ2_6P-mMf9TFz2YO2h-ZqHfuS4_UGMopsHlg-l3d5htDCOa7lwdX9pPE9zTAzsfT54XvR8W2ctQyMRB5Ie5fPcRSxqnt8R603Zhauc-8D6IfsgDZ-_-yVx29Pz_6k5XvY-F8wTONU4Fr84sPNqHt_Jue9Kt1LI-zVmbTBfFRvLoq9&attredirects=0 https://34643faf-a-9102fed9-s-sites.googlegroups.com/a/bstecnologia.com.br/imagens/arquivos-para-upload/IPSec1.PNG?attachauth=ANoY7coJDONBEW1E4NYBDbRP3AM5JqfSUbG_HgwzVIks3_hyBzHXh3LNBlGXhRedymedl31Ec3dkWxp-7Qsazuz6p61eXronNImNiTuD9kHgRH7mBkK1MIKFs9gghnGOvik7x0or3HmgGxkJ0bCvz5Wjjs4JG0lHFoHqApM9jTPc58w92Kknw3ol91qCoNvE712BtD0hz05arJ7SGE5snlISFPT_bqQ9jANpFl2pGnx5wA4xoUQgA3Q%3D&attredirects=0 Try again. Please

Are you use fixed ip? because I update to 2.2.4 and roadwarrior stops work. I use dynamic dns and change name conf to ip address. ex: (my identifier): dynamic dns: myfirewall.anydns.org - change to: my identifier: ipaddress: (no need nothing here). In client put the dynamic dns.. Works for me!

I've now upgraded to 2.2.5 and the IPSEC logging seems to work slightly differently. To stop all of the DPD traffic logging I've had to set the following Logging Levels in IPSEC Advanced settings to Audit from the default of Control: IPSEC SA Networking Message Encoding Also, the settings are now preserved between re-boots. Is there anyway to get the IPSEC logging to show [P1 Description] (like pre 2.2) as this would make reading the log a lot easier? Regards Peter

I have solved it.I change phase2 of local network to 0.0.0.0/0