we need more information check the log and report here Status / System Logs / VPN / L2TP (Service\Login)

@bramqu I have the same setup and can not get it to work van you please sent me the working config as well? Kind regard Mark

Courtesy of AWS support this issue was due to the following: I selected BGP routing in the pfSense AWS VPC Wizard IPSEc tunnels were ESTABLISHED (UP), but BGP was stuck in 'Connect' state and hence "DOWN" The peer-proposal SA was created as : 172.16.0.0/24 --> 192.168.0.0/16 which implies that both the tunnels were configured as 'Policy based' VPN. This also implies that BGP was not configured on the XG-7100 device for the VPN (because BGP is 'Route'-based VPN always). They suggested the following resolutions: Recreate the VPN in the AWS Console using "Static" routing instead of "Dynamic" Configure BGP as per 'Download configuration' on the customer gateway device [Note: I expected the AWS VPC Wizard to do this for me] I deleted the resources and started the pfSense AWS VPC Wizard from scratch, selecting Static routing instead, and this time it succeeded and enabled me to ping the EC2 host in the private subnet from the XG-7100.

@markvanderhurk Maybe it's some kind of internal system failure, because I have not met with such an error yet. And I don't think that Strongswan is not able to count the length of the message (sadb_msg).

Did you ever get a solution to this missing route problem on Windows 8?

yes, it's work ;) and ping with -S flag work too without static route

Noone has any ideas, are ther any logs or such I can supply to enlighten things?

Firewall --> Rules --> IPSec was where I needed to be Have it working now

Yes, that will then carry only traffic between those specific hosts. Steve

The client decides what traffic to send over. I think there's a checkbox in the VPN settings. Some people use powershell.

For the Mac, try setting up the VPN using a profile instead of manually. It sometimes behaves differently.

I ended up setting up a wpad.dat file and configuring dhcp option 252 and dns wpad A record for auto proxy config to work around this. Would have preferred inline/transparent filtering but it will work for now.

Solution can be found here: IIPsec to Mikrotik

Indeed, for mobile it's hard to beat. If you need to use only included clients (in Windows) it's IKEv2 with EAP-MSCHAPv2 and that can be painful. https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html Steve

@hamed_forum Hey Host 88.88.88.88 does not respond to a sent packet You need to check the settings on the other side of the tunnel.