@realityman_ my opinion this is not pfSense... maybe do you have some dynamic firewall on the host the ban your IP?

@jimp Thank you!

@marcquark Thanks! It'll probably be a day or two before I can get over to the far side to try this but I'll let you know how it goes.

@froussy I have this kind of problem when PHP is eating all CPU on my pfSense (check my post). Is your CPU load ok when you have problems?

@trs_91 I've been running into the same issue. I haven't had time to troubleshoot it really (my workaround is to RDP into a local server then jump over the site to site from there) but I'm interested to see where this thread goes.

Hi, do you need any other information ? Thanks.

I restarted the unit. The GUI reports "configuring IPSEC VPN.." and it took a lot of MINUTES to complete it... Connected via SSH during boot I see php-fm + php-cgi working a lot

I set the Ike to V2 now. There is no traffic yet. i have to check if this is running before i can proceed fight with the firewall and the routing i think.... but the child SAs tell me always the first 2 available connections that are enabled. and no matter which one. this time it shows only one, maybe the 2nd server on the other side is switched off i cleand the ip address out because its a public IP con1000: #236 192.168.33.61/32 Local: cd989838 Remote: 60c4ba15 xxx.xxx.xxx.xxx/32 Rekey: 2542 seconds (00:42:22) Life: 3472 seconds (00:57:52) Install: 128 seconds (00:02:08) AES_CBC HMAC_SHA1_96 IPComp: none Bytes-In: 0 (0 B) Packets-In: 0 Bytes-Out: 0 (0 B) Packets-Out: 0 when i disable this first two entries it shows me ( again i cleaned addresses out for being public, this time all ) con1000: #238 xxx.xxx.xxx.xxx/32 Local: c144a229 Remote: 549b87ca xxx.xxx.xxx.xxx/32 xxx.xxx.xxx.xxx/32 Rekey: 2892 seconds (00:48:12) Life: 3595 seconds (00:59:55) Install: 5 seconds (00:00:05) AES_CBC HMAC_SHA1_96 IPComp: none Bytes-In: 0 (0 B) Packets-In: 0 Bytes-Out: 0 (0 B) Packets-Out: 0 of course the remote addresses are different ones from the one before

Pfsense settings Internet Protocol: IPv4 Interface: WAN Authentication method: Mutual PSK Negotiation mode: Main My identifier: x.x133.66 Peer identifier: x.x96.242 Pre-Shared Key: Policy Generation: Default Proposal Checking: Default Encryption algorithm :AES 256bits Hash algorithm: SHA DH key group: 5 Lifetime: 28800 NAT Traversal: Disable Dead Peer Detection Enable: 10 seconds, 5 retries

You appear to be editing a mobile IPsec tunnel. That's not the same as what you're reading in the docs. For site-to-site tunnels, yes, Mutual PSK will show that field and button. For mobile IPsec, each user has their own key, so you add them on the Pre-Shared Keys tab.

@gribfk 1 show the phase-2 settings 2 show the output of the command ipsec statusall after the IPSEC connection is established 3 show the firewall rules on the VLAN10 interface 4 show the output of the command tcpdump -netti enc0 when trying to access the 172.16.0.0/16 network

Shameless bump... Any ideas very much welcome. It's odd that the same config works fine elsewhere. It's not the encryption engine as I can do 300Mbit between sites LAN to LAN. It's only when WAN is involved. Thanks, James