Figured it out - had to set a separate allow all Prefix List to each neighbour.

@scottself said in My IPSEC service hangs:

https://redmine.pfsense.org/issues/13014

It says on the redmine where it will be implented.

Plus Target Version: 23.05

Log entries on the pfSense, showing it's clearly getting the Ping response back; I'm just not sure how to find out what it's doing with it after that. I've removed a few repetetive entries but nothing that seems pertinent.

May 4 14:57:21 charon 46137 16[JOB] got event, queuing job for execution May 4 14:57:21 charon 46137 16[JOB] next event in 88ms, waiting May 4 14:57:21 charon 46137 16[JOB] got event, queuing job for execution May 4 14:57:21 charon 46137 16[JOB] next event in 5s 890ms, waiting May 4 14:57:21 charon 46137 09[IKE] <con2|12> sending DPD request May 4 14:57:21 charon 46137 09[IKE] <con2|12> queueing IKE_DPD task May 4 14:57:21 charon 46137 09[IKE] <con2|12> activating new tasks May 4 14:57:21 charon 46137 09[IKE] <con2|12> activating IKE_DPD task May 4 14:57:21 charon 46137 16[JOB] next event in 5s 890ms, waiting May 4 14:57:21 charon 46137 09[ENC] <con2|12> order payloads in message May 4 14:57:21 charon 46137 09[ENC] <con2|12> generating INFORMATIONAL request 1585 [ ] May 4 14:57:21 charon 46137 09[ENC] <con2|12> generating payload of type HEADER May 4 14:57:21 charon 46137 09[ENC] <con2|12> generating ENCRYPTED payload finished May 4 14:57:21 charon 46137 09[NET] <con2|12> sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (80 bytes) May 4 14:57:21 charon 46137 04[NET] sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] May 4 14:57:21 charon 46137 16[JOB] next event in 3s 999ms, waiting May 4 14:57:21 charon 46137 02[NET] received packet => 80 bytes @ 0x7fffdfdfa5f0 May 4 14:57:21 charon 46137 02[NET] received packet: from Y.Y.Y.Y[500] to X.X.X.X[500] May 4 14:57:21 charon 46137 02[ENC] parsing header of message May 4 14:57:21 charon 46137 02[ENC] parsed a INFORMATIONAL response header May 4 14:57:21 charon 46137 02[NET] waiting for data on sockets May 4 14:57:21 charon 46137 09[NET] <con2|12> received packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (80 bytes) May 4 14:57:21 charon 46137 09[ENC] <con2|12> parsing body of message, first payload is ENCRYPTED May 4 14:57:21 charon 46137 09[ENC] <con2|12> starting parsing a ENCRYPTED payload May 4 14:57:21 charon 46137 09[ENC] <con2|12> parsing ENCRYPTED payload, 52 bytes left May 4 14:57:21 charon 46137 09[ENC] <con2|12> parsing ENCRYPTED payload finished May 4 14:57:21 charon 46137 09[ENC] <con2|12> verifying payload of type ENCRYPTED May 4 14:57:21 charon 46137 09[ENC] <con2|12> ENCRYPTED payload verified, adding to payload list May 4 14:57:21 charon 46137 09[ENC] <con2|12> ENCRYPTED payload found, stop parsing May 4 14:57:21 charon 46137 09[ENC] <con2|12> process payload of type ENCRYPTED May 4 14:57:21 charon 46137 09[ENC] <con2|12> found an encrypted payload May 4 14:57:21 charon 46137 09[ENC] <con2|12> parsed content of encrypted payload May 4 14:57:21 charon 46137 09[ENC] <con2|12> verifying message structure May 4 14:57:21 charon 46137 09[ENC] <con2|12> parsed INFORMATIONAL response 1585 [ ] May 4 14:57:21 charon 46137 09[IKE] <con2|12> activating new tasks May 4 14:57:21 charon 46137 09[IKE] <con2|12> nothing to initiate

@viragomann We got it sorted out....

on the main the tunnel to the 3rd party on the local network was using 1.0/24 and this needed to be 0.0/16

@realtebo
This should work anyway. It only needs a properly configured p2 with a local subnet which includes an interface IP of pfSense.

Since this is basically my same problem.
I setup a site to site VPN.
Site 1 is a remote office.
Site 2 is our DC with our domain controller and DNS servers.
users at site 1 need to reach systems by DNS at site 2.

I added a Domain Override to the DNS resolver in the pfsense firewall at site 1 with our domain and the DNS server at site 2 to send the queries to. When I did this the only thing that can be resolved by a DNS is my primary Domain controller. It happens to be a DNS server as well.
I've tried adding the DNS servers at site 2 to the general setup DNS server list as well after the ISP DNS servers.
at Site 2 I have a watchguard firewall.
I looked at this as well https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/access-firewall-over-ipsec.html#ipsec-fwtraffic
but I don't think this is relates since if I set the DNS server on a local machine to the IP of the DNS server at site 2 I can resolve everything at site 2. I'd like to just do this through the pfsense at site 1.

I just put my domain DNS server as the primary DNS for the DHCP leases ( Services / DHCP Server / LAN) then google DNS, and then lastly our ISP DNS. Everything works as expected this way.

@obi Solved!
The problem was caused by remote network configuration that two vpn client use same P2 local ip.

Found a similar older topic:
https://serverfault.com/questions/734086/slow-cifs-file-copy-over-routed-network-with-different-bandwidths
However disabling Jumbo and Netbios doesn't help...
Our internet provider (TIM) suggested that's a CIFS issue, because windows file transfer works fast over LAN but not over WAN interfaces... In fact Iperf test values are in the order of 260Mbit/s, as sender and receiver, and that's good... They recommended to reduce Windows MTU to 1490 but the troughput is the same... Does anyone has some tuning to suggest?

@jimp Thank you sir, that did the trick, after I setup mobile config, applied settings and saved the authentication fields appeared.

Much appreciate the assist sir.

@bert-0
As you wrote above, the IPSec status shows that the connection is established. So it might not be blocked at all.

@michmoor

Look at the number of posts of that user : 1

So : on the triple point :

102848a4-c6ff-4f7b-b4a9-a931deea7d08-image.png

and flag the post.

Later on, as by magic, the polutware will be gone.

Want to confirm we're seeing the exact same thing here - we've got a bunch of 2.4.x in production we just upgraded to 2.6.0, with quite a few tunnels going between them, and it's been running flawlessly for 2 years now. All are running virtually, and on the other side we've got a mix of netgate 2100s recently upgraded to 23.01.

The issue only happens between some 2.6.0s - we'd see things hang with both sides trying to initiate. In the logs: "ignoring acquire, connection attempt pending". We used nearly half a day debugging this, and the only way to get things to come up reliably (and so far, stay up), was to roll back one side to 2.4.4. Tunnels suddenly came up.