I have tried with MD5, SHA1 and also SHA256 with not luck, still same error. I noticed that the IPsec widget one the dashboard only showed 1 tunnel, when it before upgrade showed all 4 so I figured that something where off and the upgraded IPsec settings was fubar. I deleted all IPsec settings both fase1 and 2 from both boxes, and then created them again (with samme settings, screenshot wise) buy only one fase2 tunnel, and now it works :) I then recreated the last 3 tunnels and it still works, so I guess that there was something in the config files that where upgraded wrong. The wigdet are still only show 1 of the 4 fase 2 tunnels, mabee that is a bug ?

Tried all above for the second day but still getting the same issue of IPSEC showing as connected but nothing getting through. >:( EDIT: Seems to be a rekeying issue, Log entries as follow: Feb 16 16:49:50 charon: 07[ENC] generating CREATE_CHILD_SA request 141 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No TSi TSr ] Feb 16 16:49:50 charon: 07[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[4500] (252 bytes) Feb 16 16:49:50 charon: 07[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500] (76 bytes) Feb 16 16:49:50 charon: 07[ENC] parsed CREATE_CHILD_SA response 141 [ N(NO_PROP) ] Feb 16 16:49:50 charon: 07[IKE] <con1|2>received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built Feb 16 16:49:50 charon: 07[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built Feb 16 16:49:50 charon: 07[IKE] <con1|2>failed to establish CHILD_SA, keeping IKE_SA Feb 16 16:49:50 charon: 07[IKE] failed to establish CHILD_SA, keeping IKE_SA Feb 16 16:49:50 charon: 07[IKE] <con1|2>CHILD_SA rekeying failed, trying again in 20 seconds Feb 16 16:49:50 charon: 07[IKE] CHILD_SA rekeying failed, trying again in 20 seconds the log keeps repeating itself until the tunnel is manually disconnected and reconnected. All advise is appreciated. regards</con1|2></con1|2></con1|2>

All settings there are set to silent…

Thanks doktornotor  8)

What do you mean, a routing issue?  The tunnel works 98% of the time, then will drop out for two minutes.  All the networks are reachable from where they expect to be reachable from.  Thanks for your response, I'd like to look into it more if it's actually a potential cause.

Okay, questions: 1. Does ShrewSoft support IKE v2? I'm currently using IKE v1 because I didn't think Shrewsoft supported v2. 2. The GUI states "Whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, reauthentication is always done." So checking the box might not actually change anything? … please correct me if I'm wrong. Thanks A

please refer to the old thread https://208.123.73.68/index.php?topic=83321.0

Probably DNS caches make this not work sometimes, probably the php cache in this instance. Anyhow the userid is a better choice in general.

The first post you mentioned outlines the process. The patch mentioned is no longer required, there is a system option for that setting. If both ends are pfSense, it should be pretty straightforward. If the other end is some other vendor, you'll have to figure out a way to accomplish the same behavior (eg, on MikroTik RouterOS, I have configured some scripts which resolve the dynamic DNS hostnames and modify the config accordingly). Just do it, and post your results ;)

Yeah this bug has been fixed in the repository and will come with pfSense 2.2.1 update.

Thanks all.  I do have DNS set in phase 2.  It simply does not work. See https://forum.pfsense.org/index.php?topic=88226.0 for an identical example with more thorough logs. I suspect a possible migration or upgrade issue, but I would need to find the time to do a clean install.

So I'm an idiot.  There wasn't an IPsec allow rule on the firewall setup.  In my defense, it's more than 3 private networks actually, and I didn't set things up, and sitting there staring at the firewall rules it kinda all looks dandy even when you're having problems.  Man, props to the peplink guys though as they went above and beyond.  Ha, in my defense again though, I'm the guy that stared at the pfctl -sa output and finally had things dawn on me.  Anyhow, if anyone else encounters this issue?  Don't be an idiot?

@maxxer: @zllovesuki: Therefore, every mobile client needs to have the self signed CA installed. For strongSwan client, the X.509 server certificate needs to be installed as well. So to use IPsec with IKEv2 you need to import a cert on the mobile client? I managed to get IPSec back to work with IKEv1, but now my Ubuntu client won't connect anymore. I was wondering if moving to IKEv2 could solve both issues, but cannot manage it to authenticate. i found here that android 4.4 should work with EAP-MSCHAPv2, which from what I understand is still a user/pass method, but it won't work here… Yes, you need to install/import the CA that issued the e IPSec certificate.

Yeah, this one can safely be deleted unless you intend to debug why's it crashing.

Yeah, thanks for grasping this former question. Currently, everything is working as expected with the help of a correspondingly configured DNS forwarder. But I consider adding to future certificates two CRL URLs: One with a public address and one with a LAN address. I have just spent some time to re-issue most of my certificates due to expiry range 1 year and I am glad not being forced to do it again although those certificates do just protect my ambitious home LAN  ;) Regards, Peter

@jimp: If the Phase 1 was between the WAN IP of the firewall and the IP address you were coming from Yes, good guess, I didn't think of it while trying to regain access. It might be a good idea to (at least) add a line somewhere about "changing ip address". It would too resolve "5 Locked Out by Too Many Failed Login Attempts"