I am seeing the same thing here. I have the split connections box checked. Remote side has x8 P2's to our side which has x1 NAT'd IP Tunnel will come up with all x8 P2's up and working... after a period of time one or two or three will disappear and will not show in IPSEC status as a child that is down. I also note that the widget in the portal does not display the correct number of tunnels that are up and active. ver 2.4.5 rel + XG1537HA

@jimp said in Multiple Phase2 entries does not seem to work in IPSec.: uld try it again but use a unique value corresponding to e 172.31.1.60 and 10.10.10.1 ip for lan interfaces 172.31.1.91<Nat>10.255.68.201

OK. For anyones interest this does work. 1 - Turn off automatic firewall creation on the pfsense. 2 - Set the wan address in phase 1 to 0.0.0.0 3 - In phase 1 advanced select responder only. 4 - Create any/any firewall rule in IPSEC rules. 5 - Create UDP/500, UDP4500 and ESP all rules. And we have sucess, thanks in no small part to some very patient support staff.

No, It's me stating that it works fine for myself and others, and requesting more information (which you still did not provide). If you give us enough information to help, we can help, but so far you have not given us anything to go on. We need details, such as logs and specifics about your configuration (like screenshots).

@Rico thanks, that will mean my problems are elsewhere !

@cre8toruk Duh.. added UDP any any on the ipsec interface and voila ! Schoolboy error there ! :-)

just forgotten one thing - the pfSense located on behind router with forwarding UDP ports 500,4500 to it..

No worries. Thanks anyways!

You shouldn't need to touch the cert on the clients. They would only have the CA, not the server cert. All you need to do is change the server cert and then change where the clients connect. And for the record, the cert should have the hostname and IP address in the SAN list. But if you put the hostname in the CN, pfSense automatically adds a SAN for that as well, so it should be fine.

I changed it to use a gateway group, as per https://forum.netgate.com/topic/52963/ipsec-multi-wan-failover now it works as expected.

More details are in the attached file. I cannot seem to add it here, because it's supposed spam. A little frustrating. MoreDetails.txt