thanks everyone! We use VPN tunnels to a lot of 3rd party devices, including ASA, Fortigate, Sonicwall, Palo Alto, etc. I can confirm that you don't need Route-based or Policy-based on both end, it's only matter locally. well, for now, we can go with Policy-based, once there is a need, I'll look into these options again.

I have fixed it. Just restart the Fritzbox. There was no issue in my config.

Because they do not match!

Hmmm… so post some logs about how's it now working.

You should be able to do this on a Cisco router, I've done it on ASAs. Quick google turns up this, which may help: http://www.cisco.com/c/en/us/support/docs/routers/3800-series-integrated-services-routers/107992-IOSRouter-overlapping.html

Just when you think there's no options left you solve it on your own ;-) I ended up setting up another pfSense just for IPSec and 1:1 NAT all ports/protocols for IPSec from the primary pfSense to it. I added a second network interface with an IP in the 100.72.13.160/29 subnet to the new pfSense vm and created the IPSec connection like I did before. We then set up another database VM with its primary network interface also in that subnet and the IP of the new pfSense as gateway. Everything was working as expected from then. I ended up having a lot of TCP:RA drops and blocks from another remote location connected via OpenVPN on another VM (but in the same VLAN) which was solved by setting the firewall mode to conservative. Any idea why that is needed?

It turned out that the internet connection I use from home already employs IPSec/L2TP to create a tunnel via die wireless services the ISP uses, so instead of figuring out which PMTU, icmp and MTU and whatever else to use, the tunnel was simple established from my Mikrotik router instead of from my laptop, which works 100%. If I'm on the road then the tunnel from my laptop works fine.

I was considering that but really don't want to go back. In addition, it's a Hyper-V VM which 2.2 works well on. I remember on a previous build of pfsense I had to use "prefer older SAs" Somewhat stumped at this point as the logs just don't show any pertinent errors. Tunnels marked as up. Weird.

@itm_2015: What´s about: "Removing interfaces_use from strongswan.conf makes the problem go away."? I had the same problem. Whenever the WAN link got disconnected/reconnected the VPN tunnels did not reconnected. Removing the 'interface_use' indeed fixed the problem. To remove this key from strongswan.conf I edited /etc/inc/vpn.inc around line 370 there is this: {$accept_unencrypted} cisco_unity = {$unity_enabled} {$ifacesuse} I changed this to: {$accept_unencrypted} cisco_unity = {$unity_enabled} {$ifacesuse} I also edited the file /var/etc/ipsec/strongswan.conf and commented out the 'interface_use' line.  (gets overwritten when WAN is disconncted). This is a hack that worked for me, I have no experience in linux/freebsd and don't know if it has any side effect. Alternative is go back to old version or wait for 2.2.1 update. Lex

I Solved the problem. I just created a routing entry under Routes /System/Routing/ then Routes Tab Create a new Route and insert the IPsec Mobile Clients IP subnet and then chose the WAN2 gateway address. Now my remote users can connect over Wan2 example: Destination Network:      10.0.10.0/24 Gateway:                      Wan2 198.34.55.21 Description                    IPsec Mobile Clients

You normally have assigned the GRE interface so for sure you need rules for that!