Encountered the same error messages and symptoms. I had misconfigured the PFS on one of the Phase 2 connections. Setting both to the same option resolved the issue.

What I want to do is to remove the requirement for my PC at home to have to connect manually as a client when I want to access my work's VPN. Doing so without having (written) permission to do so from your company or institution would most certainly breaking several guidelines or compliance rules. And I can tell you that network/security/IT guys wouldn't be very happy with you if they would find out, that you simply hooked your full home network into their corporate network. You simply don't. Had to do that 15y ago for a CEO. He nearly wiped out his company network by his son running amok on his private network that he forced us to hook into the corporate one. Simply no.

It is a pretty old post but would like to add what I did recently (not perfect but working to some level) feedback would be nice to make it perfect. What I did is mentioned below. ON LOCAL SIDE: Create a gateway group on the Pfsense i.e GW1_GW2 change priority to Tier 1 & Tier 2 respectively. Assume Tier 1 GW IP is 10.10.10.10 Assume Tier 2 GW IP is 20.20.20.20 Local Subnet: 172.16.0.0/24 Create Phase1 & Assign GW1_GW2 Gateway as Interface to IPSec GW1_10.10.10.10 (Primary-Alive) GW2_20.20.20.20 (Secondary-idle) Add Phase 2 Local Subnet --> 172.16.0.0/24 <--- Remote Subnet : 192.168.0.0/24 ON Remote Side: Configure Two tunnels Phase1 for 10.10.10.10 --> Phase2 Local Subnet: 192.168.0.0/24 <-- Remote Subnet 172.16.0.0/24 (Primary-Alive) Phase1 for 20.20.20.20 --> Phase2 Local Subnet: 192.168.0.0/24 <-- Remote Subnet 172.16.0.0/24 (Secondary-idle) Now the tunnel will establish using Tier1 IP as Peer IP, if the Tier1 Connection is down, it'll establish using Tier2 IP. I have tested this scenario, it works fine, it Failover to Tier 2 IP but when the Tier2 IP is also down OR the Tier1 IP is back online then it won't switch back to Tier1 IP. to force change I have to restart IPSec Service. is there any way to Force IPSec Service reload upon disconnection?

@Konstanti Thank you Konstani. The problem is resolved with -Enable Replay Detection checked -Enable Perfect Forward Secrecy checked -Auto-Negociated checked

I finally got it to work, roughly these are the settings ( I know they are the least secure - but they work) P1: 3des,md5, dh 2 P2:3des,md5.dh2,esp aggressive yes DPD: yes monitor MUST be used. autokey ike advanced: check vpn monitor+optimized+rekey set proxy-id to class C networks

@awebster Hello! Thanks for the input! I've checked the Phase 2 configuration and they are using a lifetime of 3600, as per AWS configuration file. ! #2: IPSec Configuration ! ! The IPSec transform set defines the encryption, authentication, and IPSec ! mode parameters. ! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14. ! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24. ! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic". Expand the VPN configuration clicking in "+" and then create a new Phase2 entry as follows: ***a. Disabled :uncheck b. Mode : Tunnel c. Local Network : Type: LAN subnet Address : ! Enter your local network CIDR in the Address tab d. Remote Network : Type : Network Address : ! Enter your remote network CIDR in the Address tab e. Description : Amazon-IPSec-vpnxxx Phase 2 proposal (SA/Key Exchange) a. Protocol : ESP b. Encryption algorithms :aes128 c. Hash algorithms : hmac-sha1-96 d. PFS key group : 2 e. Lifetime : 3600 seconds***

Hi I have the same question. Did you get any solution for this problem? Stefan

@jimp You were exactly right, the issue was on remote end. Thank you very much for your help, it's good to have such experts like you here. Good luck you to you. SOLVED!

@gchialli said in Phase 2 : "invalid HASH_V1 payload length" error: I apologize for replying to this old topic, but I'm having the same issue I think. I'm on 2.4.4-p1. I have already bumped the max_ikev1_exchanges value to 50, but the errors keep happening, and the tunnel restarts every 2 minutes. @cukal Have you been able to find a solution for this? Thank you Hello, Just wanted to update the forum that my issue got resolved. It was caused by one proxy-id configured with the wrong prefix-length on the other side. Thanks

What is in Diagnostics > States matching ICMP before you start a new ping attempt? Have you tried killing/resetting states between tests? There is nothing special about ICMP vs TCP or UDP in the rules. They are all treated equally when it comes to evaluating the ruleset. You may also need to look at the detailed output from pfctl -vvss for the ICMP states matching your ping and compare them with the related info in pfctl -vvsr to see which rule(s) allowed the state to be created.

You don't use static routes for IPsec unless you're using VTI.

There is no way to have more than one mobile configuration at this time. Though I have yet to see the strongSwan app fail to connect, since pfSense uses strongSwan for the server. Odds are that it's just a client misconfiguration. Share more details about the configuration and error messages / logs and it can likely be solved.

No problem.

You label only one tunnel there as VTI but whether the routing is dynamic or static if you are routing it must be VTI. If the tunnel to Oracle is policy based then do you have the correct P2s to carry traffic sourced from the AWS VPC? It sounds like they may be missing. Steve