Also this:

Disabled "MOBIKE" on y.y.y.y (This feature was only enabled on y.y.y.y)

@periko Thought so.
The issue is with ipsec configuration.
Pls elaborate

@craigerr1 is P2P? Mobile?
Have u open the rules in both sides to allow traffic on your firewalls->rules->ipsec?
Regards!!!

@arobin
Depends what you're trying to achieve. You didn't mention at all.

Your existing rules on A allows access from site B 10.0.10.0/24 to site A 10.100.1.0/24.

However, there is additionally a rule on DMZ at B needed for passing traffic to the remote site.

@alejjime Reviewing the pfSense configuration of my Azure network, I noticed the time zone was different than that of my client's servers, and I have already changed it, as well as that of my Windows server with the SFTP application, so they are already synchronized with my client's servers.
I made that adjustment thinking that the date/time difference might generate an asynchrony problem, but the problem persists.

@artooro said in IPSec hang with 11 P2s:

It looks like it will be quite awhile before 2.6.0 is ready for release though. So we may have to revert to 2.4.5 in the meantime.

Target for release is early next month, it's really almost done except for a few items still being worked on. Overall I'd say it's likely to be more stable than 2.5.2 for many, especially in terms of IPsec.

@nocling said in IKE2 EAP-MSCHAPv2 send pfsense DNS but windows client won't use it.:

http://woshub.com/dns-resolution-via-vpn-not-working-windows/

Interesting article, I have try and works...thanks for the info!!!

This is now sorted! Outbound NAT rules a small step that doesn't seem to be mentioned in the docs

Hello,

I fixed this by applying the patch listed here:

https://redmine.pfsense.org/issues/11933

Thanks.

@rostyslav-didus

4.For some reason after pfsense reboot,it doesn't bring up Chield SA entries.
Maybe,I haven't noticed some mark to bring it up automatically?
-240 18-11-21.png

@cswroe thanks for quick reply I appreciate it.

maybe you could give a hint regarding load balancing algorithm in case with specific remote LAN reachable behind two separate tunnels? will it be ECMP?

pfsense-p2.png

OK, I found this answers my question:

https://forum.netgate.com/topic/113227/ikev2-vpn-for-windows-10-and-osx-how-to

In short, it needs a workaround - add-vpnconnectionroute.

Thanks
Adrian

@viktor_g Thanks - i'll give that a try

Hello,

Kind reminder :)

@spearhead1 As you say that both phase 2 SA are connected, can you see packets going out when you go to Status / IPsec / Overview and click on + Show chiild SA entries?

If not, can you see the unencrypted traffic coming from 10.225.172.0/24 in a packet capture?

If yes, can you confirm that this is the right traffic by doing a packet capture on the IPsec interface?

@rex2020
as a quick workaround, i muted all logging controls by setting them to silent:

a9470e32-0f66-44fc-a0b0-80d3faca2e9f-grafik.png

https://forum.netgate.com/topic/163221/constraint-check-failed-rule_crl_validation-is-stale-but-requires-at-least-good/3

Same issue as this one, which had no responses.

@lst_hoe

@periko I would like to know if it is planned to add route pushing to Windows clients using DHCP option?

Thanks.

@jimp I'd love to see an opinion from Netgate about this scenario when you got some time; can't be that I'm the only one running site to site IPsec tunnels with dynamic IPs and FQDNs as identifiers.

@carl2187 It appears that using a route-based IPSec tunnel (VTI) resolves the PMTUD issue, without need for any other workarounds.

@rai80 Thank you - I saw that bug report but still couldn't get things working.

However, on this thread @stephenw10 answered a general query I had about PMTUD not appearing to work. It seems that PMTUD with policy-based IPSec does not work, but it does work with route-based IPSec. In my case, I have been using a policy-based IPSec tunnel. As soon as I set up route-based IPSec (with static routes at the moment, but I'm sure BGP will work too) then my RADIUS/EAP-TLS issue disappeared - and with scrubbing enabled (i.e. default pfSense settings).

@tomwork Thank you for sharing this great script, we have the same problem with the AWS tunnels ;-)
We have a CARP HA setup and wanted to have it on both nodes.
Therefore we need a check, that the script only starts down tunnels only if the CARP state is MASTER and is not active on the BACKUP node.
Here it is - there may be better solutions but it works

#!/bin/sh # check for MASTER master=`ifconfig | grep "carp: MASTER"` if [ -z "$master" ]; then echo "CARP Backup => exit script" exit; fi echo "CARP Master verifying IPSec tunnels..." tunnels=$( /usr/local/sbin/ipsec statusall | /usr/bin/grep dpddelay | /usr/bin/cut -d':' -f1 | /usr/bin/tr -d ' ' ) for i in $tunnels; do if /usr/local/sbin/ipsec status $i | /usr/bin/grep -q 'no match'; then echo "tunnel $i down" /usr/local/sbin/ipsec up $i fi

Much obliged !

@nikhilsalunke Is it possibly linked to this?

https://forum.netgate.com/topic/89558/ipsec-pmtu/17?_=1634945881916

EAP / RADIUS can cause UDP packets that need to be fragmented and relies on PMTUD working.

@steveits Thank you very much, I just changed the setting. Let's see if that helps. Seems this issue pops up after some days or running.
I appreciate such fast response.