This was fixed in 2.2.4 last week.

After disabling and enabling the phase 2 on one end, the tunnel came up. It was not possible to ping through the tunnel but it looks like the routing works. I then checked the ipsec firewall roules but they were ok (IPv4 * * * * * * none). I also added such rules on the lan interface on both ends. Still, the ip is not pingable. EDIT: After adding an outbound NAT rule and switching to hybrid mode, I can finally reach through the tunnel. Adding a third phase 2 shows the red arrow again on this phase 2. Re-enabling it does not help, even after a few times. The ipsec log shows the phase 2 as if it was connected: charon: 10[CFG] received stroke: add connection 'con1002' Jul 7 22:29:48 charon: 10[CFG] added child to existing configuration 'con1000' Jul 7 22:29:48 charon: 07[CFG] received stroke: route 'con1002' Jul 7 22:29:48 ipsec_starter[35735]: 'con1002' routed But the red arrow on the status page stays and the tunnel is not connected in fact.

Still waiting for help; yes, it works fine under IKEv1; but need to have it working in IKEv2.  ;) Either with hack, or NATting 4 (was 2 before) local subnets 10.1.10.10/24,10.1.10.20/24,10.1.10.110.110/24, and 10.1.10.120 into 10.41.38.0/22, so we can only use 1 SA. Tried NAT 1:1 but that did not work. Any help appreciated.

@cmb: I'm going through all the possible combinations there now doing testing, with an automated test setup to iterate through all the possibilities. We'll have that resolved for 2.2.4. Awesome!  :D

Can you post debugging logs of both sides?

i have tried specifing the wan ip address as CN in the certificate …. no luck. can anyone share their experience on ipsec with rsa please?

Double check your configuration. IKEv1, main mode? If you had something that worked, it came up, then you changed something so it no longer matches (like switching to IKEv2 for instance for that log), the already-negotiated connection would stay up for the lifetime. Then come time to rekey, it fails as the config is no longer valid.

Hi cmb, thanks i have to restart the system and then wait for the error. thank you Thomas

You can check the "responder only" on phase 1 to accomplish that part of it.

Anyone? I'm still trying to get this things working…. Thank you!

hi sorry for the delay, the pfense will be deployed under ESX on a DualXeonE5-2630V3 64GB RAM, the server will also contain 2 vm's for media delivery and proxy. I was thinking on only one concentrator,  didnt know of the existence of hardware crypto accelerators. 100mbps of throughput is required over vpn. will this hardware suffice? Server specs: https://secure.iweb.com/en/classicServerFlex/classicServerFlex/?id=38d2233b4574e196403bbacfcf533339 The peers are cisco using vpn ipsec lan-to-lan with x.509 certificates. edit: read about AES-NI, will this boost even if using 3des/sha?

Is that system the default gateway on your LAN? Can you get out to the Internet via that VPN, just not to your LAN?