Well I'll wait till 2.2.3 is released as a stable version then :)

Yes. You can use IPSec for mobile cleints, and works perfectly :)

What do your IPsec logs show at the time? What's the router you're connecting to?

Your logs show it's up, so should be safe to assume everything at the IPsec level is correct. Maybe missing firewall rule to allow traffic in on IPsec tab. Maybe a host issue, like having a wrong subnet mask, or a local firewall that's dropping the traffic.

@ermal: You should start by loading AESNI module. In pfSense 2.2.x surely its confirmed you can get 800Mbit/s with lower boxes with AES-GCM. In 2.3 its improved a bit more. Can you please post your numbers and what ipsec configuration you are using? Re-testing with AES-128 and I can see that computer #1 (the less powerful of the 2 pfsense computers) is showing much higher loads on the interrupt than on the first snapshots taken, seems like the interrupt is ranging between 70-90% of utilization [image: computer1.jpg] [image: computer1.jpg_thumb] [image: dashboard1.jpg] [image: dashboard1.jpg_thumb] [image: dashboard2.jpg] [image: dashboard2.jpg_thumb]

Hello to all, we have fixed the problem. It was due to another VPN active with same subnets. We changed networks and all is working perfectly now!

Anyone?

Finally back from vacation and back to my IPsec issue  ;) @ermal: Probably should try disable the unity plugin! Sorry, but I can't see that setting on the IPsec tab. Where should it be?

I verified that while status did not show connected, I was able to pass traffic and then the status updated to reflect 2 subnets.

I end up doing it myself. Read a little of php, touching here and there on a test enviroment and voila. Being testing a few protocols and ports and seems to be ok. No idea how to make a pull request, but i've left the modified files attached to this post just in case someone needs them. [image: ipsec_status.JPG] [image: ipsec_status.JPG_thumb] [image: vpn_ph2.JPG] [image: vpn_ph2.JPG_thumb] protoport.zip

I was able to configure pfSense as strictly a L2TP/IPSec server but Im not sure how to integrate it into my network correctly.

Most often because you have no firewall rules on the IPsec tab on pfSense allowing the traffic to come in. If not that, you may have firewall rules on the Sonicwall not allowing traffic to leave its LAN destined for the VPN.

Squid almost certainly wouldn't be related. Unless maybe it's shutting down because of a hardware problem that's also affecting strongswan but I would guess that's not very likely as it'd probably crash and reboot the system. The status described is just how things would look when it's trying to connect and isn't yet connected, it's not that your P1/P2 config isn't there, it's just not existent in status at that point. No telling what might be happening. IPsec logs would be useful.

Followup incase someone ever has similar problems… Two things... 1. I was unclear about the interface. I said "LAN" but it was a WLAN interface and I think this had something to do with generating the behaviors I was seeing. 2. I "fixed" it by setting the DHCP range on that interface to a range that looked like x.x.x.129-254 and setting the network in the IPsec SAs to x.x.x.128/25 thus pulling the .1 interface (firewall) out of the networks on the tunnel. This worked. Clients in the DHCP range go over the tunnel for internet access and the firewall interface still works as expected. Hack but it works for now and I'm not going to need more DHCP space there for a while (famous last words...)

Rekeying should not result in any drop in connectivity, as it should complete before expiration and then replace. Leave a constant ping running for around 48 hours and verify you don't have any excessive loss (sub-0.5% assuming a reliable Internet connection). If that checks out, you're fine.

Hey there enrico.m.crisostomo (or anyone else that knows the answer) - I am experiencing what is mentioned in the OP. I have a working Mobile IPSec VPN, and all mobile devices can see resources on the local LAN subnets. These mobile devices cannot traverse the site-to-site VPN to my servers in the cloud. As stated below, with a traditional site-to-site VPN you would simply add another Phase2 and make sure that the remote side has a route to your new subnet. That idea does not appear to work with a Mobile IPSec VPN. Does anyone know the resolution to this? Thanks.

@cmb: That's still an open issue. https://redmine.pfsense.org/issues/4537 The workaround is to go to System>Advanced, System Tunables, and add a tunable for net.inet.ipsec.directdispatch with value 0. it works !! thanks :)

No, rules are automatically added. You can check states under Diag>States to confirm whether the traffic is being passed. Filter on the public IP the client is coming from. Can double check nothing is blocked by checking firewall log.

Was able to fix it: Somehow Key Exchange version been changed to Auto, I changed it to ver 1 which i believe that it was, I then was able to change the Negotiation mode to aggressive. Thanks for the response!