Those aren't actually errors. Newer racoon versions log those more correctly as informational. Dynamic gateway probably means you have a P1 mismatch, though you're on such an outdated version it's hard to say for sure there.

They each have a distinct purpose. Per-user PSKs are for Mobile IPsec that is PSK only (though these may also be entered on the IPsec PSK tab, they are on users for convenience) IPsec with Xauth PSK is the "Group Key" in clients PSK tab in IPsec is for entries that are not per-user, such as EAP entries, allusers entries for L2TP/IPsec, and so on.

I don't mind taking the time to debug.  But so much stuff is spewed into the log that I have been unable to find any thing that hints at the problem.  Chris has had access to my system since 2.2 and I don't think he has had any more luck identifying the problem.  I have 17 VPN connections but they are all for my use, and I have backup OpenVPN connections as well so I can "afford" to keep looking for a solution, but it is a pain to reboot PFSense every couple of days (and it reeks havoc with my Zabbix monitoring).  The 17 end points have various IPSEC connections between them, but I have left them all running 2.1.3 until IPSEC is working reliably (or I give up and convert all the tunnels to OpenVPN)

i have same problem and ipsec tunnel established nut traffic from two site not pass and packet droped like this Bytes-In: 0 Packets-In: 0 : 550 Bytes-Out: 0 Packets-Out: 0 : 0 how can i fix this enybody have this problem  :'( :'( :'( :'( :'(

sorry…not the compress algo...its the pfs setting only

For others following this thread, the (new) issue of split-tunnel/routing with IKEv2 was moved to this thread: https://forum.pfsense.org/index.php?topic=97627.0

Yes, I already tried that, SAs come up green, but cant move traffic. I have Main office, and new satellite office B, For a long time at the main office, I have had 2 ipsec VPNs to 2 vendor networks: Site1, Site2, I wish OfficeB could access devices on these vendor networks, but it can only ping the main office, the main office has no trouble pinging everyone…. some sort of routing problem? This is the main office side: [image: cd09fdcd223a4cb6cf12fb518d210aa7.png] [image: b92d397038b0455f6221a6af63d80f57.png] Then the satellite office: [image: 06486bfb429a2137f892be6f0513107c.png] [image: 6166cc99d23826c20e4db6e7108ae632.png] I should be able to ping 10.1.x.51 from officeB, but it only works at the main. I am also using manual out NAT, do I need to create rules for the ipsec interfaces? Which interface would the rule apply to?

Packet capture on the IPsec interface, is it getting there? If so, switch to LAN, it getting there?

@ocz: Can you really confirm, that your described behaviour is solved by upgrading 2.2.2 -> 2.2.4 ? Where the root problem is the same, yes, upgrading will fix it. For any IPsec issues on 2.2.x versions along the lines of what you're seeing, first upgrade to 2.2.4. Since you're already there and seeing the same, that's likely a circumstance where the configuration was wrong to begin with, but happened to work. Primarily the situation described here: https://doc.pfsense.org/index.php/Upgrade_Guide#Stricter_Phase_1_Identifier_Validation You're best off starting a new thread describing what you're doing, what logs you're getting, etc. There are countless possible reasons you can get decryption failed logs, and the circumstance OP described is definitely fine in 2.2.4.

@cmb: The authentication options there are specific to Xauth modes, they don't (yet) apply to EAP. thanks. is there a bug to track this feature?

Hi, Thanks for the response. I managed to sort it out & it is now working fine.  The clue was in the pfSense IPSec logs where I was getting the error "[IKE]I Dir 'Domain.name' does not match to 'IP address'".  In Phase 1 proposal (Authentication) I had set the Peer identifier to a Distinguished Name with the DDNS name of the peer site.  When I changed it to 'Peer IP address', the VPN came up.  I was fairly certain that I'd tried this before & it didn't work, but I also upgraded the pfSense box from version 2.2 to 2.2.4, so maybe that had something to do with it.

Hi cmb- Thank you for the reply. I apologize that was a typo it was 2.2.4-dev. I have also upgrade to the 2.2.4-release since then. When testing the failure I physically unplug the network cable from the firewall and verify that the gateway group shows the gateway for that WAN is offline. Thanks again. [image: pfsense_version.JPG] [image: pfsense_version.JPG_thumb]

Haven't heard of that with Sonicwall, but apparently they've broken/don't support multiple TS in same TS payload either. The config is 100% correct as generated for the proper IKEv2 usage. One of the benefits of IKEv2 is not needing multiple child SAs for such circumstances. At least for proper implementations of it. In /usr/local/www/vpn_ipsec_phase1.php, take out this chunk of input validation: if (($pconfig['remotegw'] && is_ipaddr($pconfig['remotegw']) && !isset($pconfig['disabled']) )) { $t = 0; foreach ($a_phase1 as $ph1tmp) { if ($p1index <> $t) { $tremotegw = $pconfig['remotegw']; if (($ph1tmp['remote-gateway'] == $tremotegw) && !isset($ph1tmp['disabled'])) { $input_errors[] = sprintf(gettext('The remote gateway "%1$s" is already used by phase1 "%2$s".'), $tremotegw, $ph1tmp['descr']); } } $t++; } } Then add two P1s with one P2 on each. That's really what you're configuring there by splitting it to two conn entries. That validation probably isn't really necessary, might just remove that to allow configs like this. Its intention is to prevent foot shooting, but there are potential circumstances like this where it works around issues with the remote end.

That's not currently possible at the moment with multiple tunnels, however you can still pull it off with a single tunnel. For the "Core" side use a hostname in DNS that will resolve to whichever one is up (like DynDNS) – and then use that hostname as your Phase 1 IPsec peer in pfSense. If the other settings (key, P2 nets, etc) are all the same then pfSense won't care which one it connects to, it will follow the hostname.

It is working now that I've set it to IKEv1.  Thank you for the explanation.

thank you very much, my misunderstanding of the different id types and how the non-decorated name works.

Thanks for the follow up, glad you got it resolved.

Printers that don't work usually are because they're missing a default gateway, or have a wrong one set.