I "solved" The issue.  I knew the IPsec was working correctly on 2.2.1, so I instead of going 2.1.5 -> 2.2.2 I did a middle step 2.1.5 -> 2.2.1 -> 2.2.2 and all works as expected now

It's an artifact of rekeyed connections in some circumstance we haven't narrowed down yet. It doesn't appear to cause any problems though, and is safe to ignore.

@spetnik: What would the intermediary devices here be? I tried connecting via my Android phone's tethering as well as a remote simple cable connection. I also tried through a network that is on a SonicWall router that has in the past (earlier pfSense versions) allowed me to connect. Usually some form of firewall with NAT would be expected if you are not connecting directly. I would suggest upgrading to IKEv2 and using Windows 7 built in client, Android works well too apparently: https://raymii.org/s/tutorials/IPSEC_vpn_with_CentOS_7.html

ShrewSoft if you want PSK, but it will not remember passwords by design. Windows 7 ships with an IKEv2 client that works great with RSA certificates, you can find some screenshots for setting those up here: https://raymii.org/s/tutorials/IPSEC_vpn_with_CentOS_7.html Depends how mobile your clients are, OpenVPN/TCP on port 443 has significant advantages for accessibility in restricted networks.

not exactly sure what happened for me, but when i upgraded from 2.2.1 to 2.2.2 half of my ipsec tunnel collapsed. i could still get to the SQL server at our hosting company with SQL management studio, but could not reach the other server there even with pings.  I ended up rolling back to the old version and everything works again. =/.  i apologize, i do not have any logs or screen shots from the failures. there were charon errors though, i do recall that. not being able to find a file or directory or something.  seeing this post made me wonder if it was this issue. oh. looks like its that same bug a lot of others are having with multiple P2 entries. I have two P2 entries.

I have seen the same symptoms on a pc engines ALIX (not an APU) The remote end reboots in somewhere between 30 seconds and 1 hour when ipsec (strongswan) is enabled.  I disabled IPSEC and the box is up solid for three hours now. Details: Far end PC Engines Alix with 256 MB ram running pfsense 2.2.2 i386 Near end is a generic Atom board running pfsense 2.2.2 64-bit IPSEC phase one is built from IPv4 to IPv4 addresses, both static Phase 2 is a /24 network remotely to a /16 network locally. I can't see anything useful in the logs after a reboot - they start with Kernel booting.  Even setting syslog to log over the tunnel was not able to produce any logs. So I'll try this tuneable and see if it does anything, will report in 24 hours. –------------- UPDATE - 14 hours later the remote alix has not yet rebooted, but the tunnel is up and stable the whole time.  FIXED for me!  Thanks!

Can you share your config sanitized? What you can do for now is provide a command to be executed during bootup that clears the states for that specific traffic.

Already there with 2.2.3 snapshots.

You could set the phase 2 configuration in site B to ping an internal IP in site A. Otherwise it looks like you have a firewall or NAT issue, or accidentally checked "Responder Only".

Thanks for your answers. Here's how I've solved the problem: I set up my ipsec connection and "phased around" all my LAN Subnets in Phase 2. To route around, I just needed a couple of phase 2 entries. 0.0.0.0/1 128.0.0.0/2 192.0.0.0/9 192.128.0.0/11 192.160.0.0/13 … cu Ben

Interesting, does Cisco follow this policy too?  Here is the reference on the freebsd mailing list. https://lists.freebsd.org/pipermail/freebsd-net/2014-February/037912.html

I wasn't aware of that. Thanks. @MrMoo: IKEv2 allows you to specify multiple subnets for leftsubnet= and rightsubnet=.

Hi cmb, Thanks for looking, I have sent you a pm with access details. Draytek have responded to my request and I have access to the earlier firmware revisions but I will wait until you have looked. Dave

Mobile IPsec rules don't get added with reply-to, so it only works by default on the WAN where your default route resides. If you manually add UDP ports 500 and 4500 rule(s) on the other WAN, it'll add the reply-to, which will do the return routing correctly.

Could you get me into the system, or send me a backup of your config? Seems like your config didn't upgrade to add the uniqid tags on the P2s and I'd like to see why.

The other side should show something more useful in that case as to why it isn't responding. Or if it shows nothing, you'll know the traffic isn't reaching it. The fact that it's switching to NAT-T (port 4500) is usually indicative of a config problem with site to site VPNs, since neither end is using NAT generally. Though if one of the endpoints is NATed, then it's probably not replying because you're not forwarding UDP 4500 through the NAT.

I emailed Ruddimaster but wanted to post here as well for others. If you're having rekeying issues, especially with multiple P2s, applying this change and rebooting may fix. https://github.com/pfsense/pfsense/commit/afd0c1f2c9c46eaa8e496e98bea8a8e0887d504f

I was having trouble connecting with the Shrewsoft Windows client. I'm going to assume something else is wrong with the configuration and try again later. Thanks for the response!

You might consider posting your issue here: https://forum.pfsense.org/index.php?topic=83321.0

Hm, shouldn't be related with IKEv2, but do you have the Unity plugin enabled? https://redmine.pfsense.org/issues/4178 Only thing I can think of with a Cisco that would end up changing the selectors, though that symptom is completely different. What does your /var/etc/ipsec/ipsec.conf contain, and "ipsec statusall" show?