Setup instructions for Windows IKEv2: https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

You don't need to disable it, just don't edit a P2 on your mobile P1 and expect it to work for site to site. Add a new P1 for the site to site.

Consider you should be sending the magic packets to the the broadcast address of the subnet (so you make sure it is put on every wire and the NIC receives it). Sending directly to the IP you want to wake up usually does not work because the ARP cache entry is most certainly cleared by the time you want to wake the PC up

You could try out this two HowTo´s from the pfSense Document section! IPsec for road warriors in PfSense 2.0.1 with PSK in stead of xauth IPsec Road Warrior/Mobile Client How-To

@Trinity99: Any idea why this particular connection is so slow? Likely the great firewall of China. They drop a lot of encrypted traffic. You may or may not be able to keep a VPN up to there with any degree of reliability without jumping through hoops. The MSS clamping suggestion is worth trying at least, but the fact you're dropping pings inside the tunnel and not outside proves that's not the only problem as pings are small enough that they won't encounter any such issues.

Draytek seems to be a popular choice for that role, though there are not many other vendors in that area with IPsec support that are of any quality to speak of. Given how frequently I've seen lightning fry modems, I would never consider placing any significant sum into a device plugged into a telco network directly. Put a cheap bridged modem in front of a better router and you'll be much better off in the long run.

I haven't done this since pfsense 1.2.3 but you should be able to run two pfsense in a carp setup, and if you point your IPsec tunnel to the shared carp WAN ip it should work. I don't see any reason you wouldn't be able to do this on both sides.

I want to do the same thing along with streaming from the Steam in home streaming feature on my PC. From what I have gathered is that the steam streaming is enabled up by a UDP broadcast packet. https://codingrange.com/blog/steam-in-home-streaming-discovery-protocol Since the IPSEC VPN tunnel is on a separate broadcast domain then this packet isn't being sent back/forth from LAN to VPN. Xbox streaming might work the same way? I think this can be fixed by enabling forecast from within strongswan. https://wiki.strongswan.org/projects/strongswan/wiki/Forecast I however don't have the technical know how to make this happen or if it is even possible on FreeBSD. Hopefully a pfsense guru can enlighten us on how to configure broadcast packets to our IPSEC VPN tunnels.

We also experience this issue. We have approximately 50 tunnels and every two weeks or so I have to reboot the firewall because of this problem.

@cmb: @juniper80: I had the same issue (Update from 2.1 -> 2.2.4, IPsec Phase1 keeps failing) I can confirm, this worked for me as well…. With iOS and/or OS X mobile clients? For me this solved the issue on Windows with Shrewsoft VPN Client.

Hello Chris, I used web gui for configuration on latest beta firmware (6.21), they had some issues on 6.20 with ssl connections. Cheers, Tomek

Yeah, you can switch the Drayteks to "Dialo out only" and "always on". This is the setup that always worked for us. On the problematic sites I switched to dial in AND out, so it's initiated, when someone starts working at the site. But that does not really help. After 7,5 hours the pfsense initiates the reconnect and the Draytek shows, that its still connected. The workaround at the time is to put up the phase 2 lifetime to 12 hours. So the problem occurs, when nobody is working.

Is there a reason you're forcing NAT-T? That shouldn't be necessary and could be the reason if you're in a circumstance where NAT-T isn't required.

Sonicwall has the same bug/lacking feature as Cisco ASAs with IKEv2 there. https://redmine.pfsense.org/issues/4704