Will be going back to the drawing board. Looking at having the following VirtualBox VMs running on a single PC (via a single NIC): VPN Server 1 - Bridged Networking interface, Internal Network interface (site1) VPN Client 1 - Internal Network interface (site1) VPN Server 2 - Bridged Networking interface, Internal Network interface (site2) VPN Client 2 - Internal Network interface (site2)

I have a new status here: For some reason, the ipsec connection is now established via the backup link. In general, that is exactly what I want - but it seems that there is no return to the primary gateway. Both gateways are online now, but ipsec connection still established via the backup link. It would be really helpful if someone could explain the behaviour of pfsense in details, I guess I have not enough informations to understand that behaviour correctly. BR, Nils

BlueKobold thanks for the reply i would rather use the built in VPN that comes with windows, I was considering openvpn but because i would need to download the client i went to IPsec. I just ended up doing L2TP without IPsec. Im going to wait until its more stable. I could not find the 2.2.5 but as cmb stated it should work on 2.2.4 which is very odd because it shows that the client connects to IPsec but on ios cannot navigate but able to ping google (maybe a dns issue) then on windows cannot connect to L2TP but IPsec shows connected which was behind NAT but without NAT works but cannot navigate, so long story short im not sure how people have it working or they maybe use the shrewsoft vpn client or most of the people use OPENVPN. Thanks again

https://doc.pfsense.org/index.php/IPsec_Troubleshooting#Send_Errors

Bummer. That would be a useful feature for me.

The issues people have with Squid are generally it not starting because of PBI problems. If it runs, you're not having the same issue. kern.ipc.nmbufs is different from nmbclusters. You might need to bump kern.ipc.nmbufs separately in that case. Run 'sysctl kern.ipc.nmbufs', what's that set to?

If that's the case then it's definitely not the same problem and you should start a new thread, and try to capture the panic message/backtrace if possible.

Nothing?

Hi, nice to hear that you have to do it, please give a feedback how it works. ;D regards max

Hi, problem found. There is Carp running and when a LAN conenction is dropped there was a failover from carp instead of the second line. On the second host the IPsec was not configured completly best regards Thomas

I can recall not being able to access the webinterface of some TPLink (cheap) APs over an IPSec VPN once, the problem turned to be related to the MTU size. Had to play around with the MSS clamping value to get it to work. If this is the case, Wireshark captures would help a lot your troubleshooting

Thank you! If a diff is made available, I'll gladly test it and report back :)

Edit: This was just a figment of netcat. Happens locally too. ~~One more hint: What are these Xs? 192.168.37.2# nc -l -p 1234 -uvvv listening on [any] 1234 ... 192.168.40.2: inverse host lookup failed: Unknown host connect to [192.168.37.2] from (UNKNOWN) [192.168.40.2] 49339 XXXXXhello ^C sent 0, rcvd 11 192.168.40.2# echo hello | nc 192.168.37.2 1234 -u -vvv Connection to 192.168.37.2 1234 port [udp/*] succeeded! ^C ```~~

I would give the whole idea a second/third/fourth/fifth thought… Benefits with current state of IPSec in pfSense (and strongswan in general) are about zero (and you must be doing something seriously wrong to have similar issues with OpenVPN in the first place.) Not to mention the royal PITA with configuration.

@uk26: it appears PFsense is not able to route IPsec to additional interfaces (OP1) Of course you can, tens of thousands of people's networks including our own wouldn't work if that were true. There is some other difference between what you had and what you have now.

I can't believe all of the options available. It is ridiculous. Guidance seems minimal as well. If we need all of the options then great! Create recipes of known good configurations. Otherwise learning curve is like pole-vaulting a football field. This resource has pictures! Steve Friedl's Unixwiz.net Tech Tips An Illustrated Guide to IPsec http://www.unixwiz.net/techtips/iguide-ipsec.html Hmmm, For the German (Deutsch) speakers out there. I think I lost something in google translate. http://www.heise.de/security/artikel/Einfacher-VPN-Tunnelbau-dank-IKEv2-270056.html