I have an IPSEC tunnel set up. I even went and set up bidirectional rules for IPSEC. The problem I am having is that when I ping my host, in my VPC, it send that ICMP traffic to my LAN interface and not the IPSEC interface as it is should have (per the policy based rules). I had several peers overlook my rules and all said it should work.

you can have multiple tunnel configured, i don't see why not

I thought so, there have to be installations with many SAs. But who really knows. I transferred the settings to an alternative firewall and the tunnel was established immediately and the routing worked. I will try to reconstruct the problem and post the logs

That's it! It's the most important part of the whole Tutorial, which got lost just between the lines :/ In my case I had to enter "Rocky*** Certificate Authority". [image: 1563902449443-bildschirmfoto-2019-07-23-um-19.16.46.png] @Konstanti: Thank you sooo much for your help! And I'm so sorry for asking such stupid questions :/ At least I know another possible way, I can setup my ikev2 without having to setup profiles Marti

nothing just these log i can't understand why... it on a brand new hardware dell From IPSEC LOG Jul 22 08:56:31 charon 11[IKE] <con3000|563> nothing to initiate Jul 22 08:56:31 charon 11[IKE] <con3000|563> activating new tasks Jul 22 08:56:31 charon 11[NET] <con3000|563> sending packet: from 100.19.77.74[500] to 216.164.171.58[500] (108 bytes) Jul 22 08:56:31 charon 11[ENC] <con3000|563> generating INFORMATIONAL_V1 request 3146799562 [ HASH N(DPD_ACK) ] Jul 22 08:56:31 charon 11[IKE] <con3000|563> activating ISAKMP_DPD task Jul 22 08:56:31 charon 11[IKE] <con3000|563> activating new tasks Jul 22 08:56:31 charon 11[IKE] <con3000|563> queueing ISAKMP_DPD task Jul 22 08:56:31 charon 11[ENC] <con3000|563> parsed INFORMATIONAL_V1 request 1238973164 [ HASH N(DPD) ] Jul 22 08:56:31 charon 11[NET] <con3000|563> received packet: from 216.164.171.58[500] to 100.19.77.74[500] (108 bytes) Jul 22 08:56:31 charon 11[MGR] IKE_SA con3000[563] successfully checked out Jul 22 08:56:31 charon 11[MGR] checkout IKEv1 SA by message with SPIs 9d5e1f8e6adf1cbe_i e26f984e1fc164ba_r Jul 22 08:56:23 charon 11[MGR] <con1000|559> checkin of IKE_SA successful Jul 22 08:56:23 charon 11[MGR] <con1000|559> checkin IKE_SA con1000[559] Jul 22 08:56:23 charon 11[MGR] IKE_SA con1000[559] successfully checked out Jul 22 08:56:23 charon 11[MGR] checkout IKEv1 SA with SPIs 68e88993f39f80e4_i c2379c57f6bf9e70_r Jul 22 08:56:22 charon 11[MGR] <con3000|563> checkin of IKE_SA successful Jul 22 08:56:22 charon 11[MGR] <con3000|563> checkin IKE_SA con3000[563] Jul 22 08:56:22 charon 11[IKE] <con3000|563> nothing to initiate Jul 22 08:56:22 charon 11[IKE] <con3000|563> activating new tasks Jul 22 08:56:22 charon 11[ENC] <con3000|563> parsed INFORMATIONAL_V1 request 3928395168 [ HASH N(DPD_ACK) ] Jul 22 08:56:22 charon 11[NET] <con3000|563> received packet: from 216.164.171.58[500] to 100.19.77.74[500] (108 bytes) Jul 22 08:56:22 charon 11[MGR] IKE_SA con3000[563] successfully checked out From System log Jul 22 08:00:07 check_reload_status Reloading filter Jul 22 04:00:24 php [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload Jul 22 05:00:04 php [pfBlockerNG] Starting cron process. Jul 22 05:00:04 php /usr/local/www/pfblockerng/pfblockerng.php: The command '/sbin/ifconfig 'igb0' delete '172.16.0.1'' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address' Jul 22 09:00:04 check_reload_status Reloading filter Jul 22 05:00:37 php [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload Jul 22 06:00:03 php [pfBlockerNG] Starting cron process. Jul 22 06:00:03 php /usr/local/www/pfblockerng/pfblockerng.php: The command '/sbin/ifconfig 'igb0' delete '172.16.0.1'' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address' Jul 22 10:00:03 check_reload_status Reloading filter Jul 22 06:01:09 php [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload Jul 22 06:14:21 ix-pfsense.inolex.local nginx: 2019/07/22 06:14:21 [error] 9680#100494: *154050 "/usr/local/www/english/index.php" is not found (2: No such file or directory), client: 185.114.76.44, server: , request: "GET http://www.rfa.org/english/ HTTP/1.1", host: "www.rfa.org" Jul 22 07:00:07 php [pfBlockerNG] Starting cron process. Jul 22 07:00:07 php /usr/local/www/pfblockerng/pfblockerng.php: The command '/sbin/ifconfig 'igb0' delete '172.16.0.1'' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address' Jul 22 11:00:07 check_reload_status Reloading filter Jul 22 07:05:06 php [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload Jul 22 07:31:31 kernel arp: 192.168.100.80 moved from 00:11:32:6b:64:26 to 00:11:32:6b:64:25 on igb0 Jul 22 07:31:33 kernel arp: 192.168.100.80 moved from 00:11:32:6b:64:25 to 00:11:32:6b:64:26 on igb0 Jul 22 08:00:03 php [pfBlockerNG] Starting cron process. Jul 22 08:00:03 php /usr/local/www/pfblockerng/pfblockerng.php: The command '/sbin/ifconfig 'igb0' delete '172.16.0.1'' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address' Jul 22 12:00:03 check_reload_status Reloading filter Jul 22 08:00:20 php [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload Jul 22 08:25:22 kernel arp: 192.168.100.80 moved from 00:11:32:6b:64:26 to 00:11:32:6b:64:25 on igb0 Jul 22 08:25:24 kernel arp: 192.168.100.80 moved from 00:11:32:6b:64:25 to 00:11:32:6b:64:26 on igb0 Jul 22 08:34:18 kernel arp: 192.168.100.80 moved from 00:11:32:6b:64:26 to 00:11:32:6b:64:25 on igb0 Jul 22 08:34:20 kernel arp: 192.168.100.80 moved from 00:11:32:6b:64:25 to 00:11:32:6b:64:26 on igb0 Jul 22 08:44:24 kernel arp: 192.168.100.80 moved from 00:11:32:6b:64:26 to 00:11:32:6b:64:25 on igb0 Jul 22 08:44:26 kernel arp: 192.168.100.80 moved from 00:11:32:6b:64:25 to 00:11:32:6b:64:26 on igb0 Jul 22 12:57:31 php-fpm /status_logs.php: Successful login for user 'admin' from: 192.168.102.247 (Local Database) Jul 22 09:00:03 php [pfBlockerNG] Starting cron process. Jul 22 09:00:03 php /usr/local/www/pfblockerng/pfblockerng.php: The command '/sbin/ifconfig 'igb0' delete '172.16.0.1'' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address' Jul 22 13:00:03 check_reload_status Reloading filter

The IPSec setup is explained well and detailed in the docs: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-a-site-to-site-ipsec-vpn.html In short, assuming you have Site1 with LAN: 10.10.1.0/24 Site2 with LAN: 10.11.1.0/24 So set the phase 2 at site 1: Local Network: 10.10.1.0/24 Remote Network: 10.11.1.0/24 At site 2 set the phase 2 the other way round: Local Network: 10.11.1.0/24 Remote Network: 10.10.1.0/24

do you have snort active? For me things like this are always realted to IDS

After reading a Book about VPN if understood subnetting with an Ipsec VPN and found the solution: Phase 2 must be configured like this: Phase2 Local Network - LAN Network NAT / BINAT 10.4.11.120 /30 Remote Network - 13.141.121.201

Just like you did for the route to 10.94.37.95/32 except on the other side of the tunnel and for 10.1.100.100.

@Abbys: luckily I still have the netstat output from the time the link was down: [2.4.4-RELEASE][admin@fw1.int.example.net]/root: netstat -rn | grep 169.254.22 169.254.22.149 link#27 UH ipsec500 169.254.22.150 link#27 UHS lo0 It's exactly the same now that the tunnel is up - except BGP has also installed a route to our AWS address space (10.30/16) [2.4.4-RELEASE][admin@fw1.int.example.net]/root: netstat -rn | grep 169.254.22 10.30.0.0/16 169.254.22.149 UG1 ipsec500 169.254.22.149 link#27 UH ipsec500 169.254.22.150 link#27 UHS lo0 (The interface is actually ipsec5000, it's just been truncated in netstat output)

Just define a phase 2 for each of your C/D/E/F networks on the A-B tunnel (the networks are local networks for B and remote for A).

@cyberfinn No See the documentation about the section config setup https://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf https://wiki.strongswan.org/projects/strongswan/wiki/ConfigSetupSection

Sorry for the late reply... You are our hero! I feel kind of stupid, as we did not tested it like this. Best wishes, Yannick

https://redmine.pfsense.org/projects/pfsense/repository/revisions/f15fdef37ff7c1fcaecc73f2927ba1d7775032b0/diff It was WAN before. So no reason to change for me.

IKEv2 works for Windows (Powershell Commands needed + Regedit change), android (Strongswan app) and iOS (Apple Configurator 2).

It will reconnect when there is interesting traffic. It is generally imperceptible to the user. The IPsec logs will say exactly what is happening. Don't just change things unless the logs indicate what the problem is and whatever you change is related to that. https://docs.netgate.com/pfsense/en/latest/book/ipsec/ipsec-troubleshooting.html

@Derelict Thanks for your help.

The tunnel also didn't route IPv6 over itself, even though I had IPv4 & IPv6 P2s defined. Again, from the commandline I did this on one side: ifconfig ipsec1000 inet6 2600:3c01:e000:31e::2 prefixlen 112 and this on the other: ifconfig ipsec1000 inet6 2600:3c01:e000:31e::1 prefixlen 112 Giving me this: ipsec1000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400 tunnel inet 96.126.96.153 --> 73.140.16.217 inet6 fe80::84b8:2eb3:a617:de8a%ipsec1000 prefixlen 64 scopeid 0x6 inet6 2600:3c01:e000:31e::2 prefixlen 112 inet 10.20.30.1 --> 10.20.30.2 netmask 0xfffffffc nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> reqid: 1000 groups: ipsec And IPv6 worked.

Something probably changed in the path MTU between the two sites. Try setting MSS Clamping to something like 1350 on both sides VPN > IPsec, Advanced Settings Note how the 192.168.148.10 site is reporting an 8960 MSS value. Someone playing with jumbo frames and screwed the pooch there?