ipsec or openvpn ?

Talking to myself. No not crazy at all  :o My solution above is not the right way I think. The underlying issue with IPSEC is traffic from pfsense, how to get it to route its own traffic. This solved the problem with "DNS Resolver" not working, that is; not reaching a DNS on the other side of the tunnel. After this I could restore the setting for "Outgoing interface" to "All" instead of "LAN". https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN

Hi! 2.2.2. It's a 2.2.1 fresh install, updated to 2.2.2

On the 2.2 side, apply the logging changes for IPsec suggested here: https://doc.pfsense.org/index.php/IPsec_Troubleshooting#Common_Errors_.28strongSwan.2C_pfSense_.3E.3D_2.2.x.29 And then have the 2.1.x side initiate to see what the problem really is.

Yes, saw that. You know that the device the other end only has 1 x P2 configured? Most devices don't have the ability to setup multiple phase 2's, Cyberoam, Sophos UTM, vShield, Palo Alto, they all just allow multiple subnets within the single P2 config or as a route using the tunnel as the gateway. If you were already clear on that, I'm not sure what the answer is. As the 2 x P2 on the pfSense box has identical settings, apart from the subnet.

Done. https://redmine.pfsense.org/issues/4626

After version 2.2.2-RELEASE upgrade this seems to fix this problem. good job!

Hi, updated to 2.2.2 but still not working for me, see topic: https://forum.pfsense.org/index.php?action=post;topic=92056.0

You can specify the NAT translation on the phase2 settings page. It is clearly marked as NAT segment translate.

The underlying keying daemon used in 2.2x and newer, strongswan, doesn't have an option to completely disable NAT-T. Leaving it to auto is best. There's no need to disable it.

Verify range to target…  :)

It works similarly to how lookups are handled for aliases. It's checked every few minutes and if the DNS entry has changed, /etc/rc.newipsecdns is run. I believe it's also checked when the tunnel settings are synchronized so that the IP address may be written into the ipsec configuration.

Uncheck "Use Default Gateway on Remote Network" in the advanced TCP/IP settings of the VPN connection. See e.g. https://support.microsoft.com/en-us/kb/317025 for details.

Unfortunately not an uncommon issue with cable, and tends to be difficult to get the cable company to track down or even admit there's a problem. Glad you were able to get them to find and fix it.

nobody help me ??!!! i check every thing  and all setting is ok and tunnel connected bud traffic not pass from lan subnet to destination lan subnet from ipsec tunnel ! :P

Staff believe that is the problem: https://redmine.pfsense.org/issues/4504 Someone al uses version 2.2.2? it will not downgrade to version 2.1.5 Thz.

After much trial and error, I'm finally able to get L2TP/IPsec and IKEv2 working (separately, not at the same time) . However, at this time it seems I need to make a decision. My VPN needs to support both Windows & Apple devices. Some of the Windows devices (i.e. tablets) don't have third-party client software available to support straight IPsec VPN. (this means OpenVPN is also not an option) The choices are: Support only iDevices using L2TP/IPsec* Support only Windows devices using IKEv2* Unless someone can point me to documentation explaining how to support both protocols at once. StrongSwan has an OS X client that is supposed to provide IKEv2 connectivity. However, there is zero documentation, and the GUI completely non-intuitive.