Is there a NAT rule to let mobile users to go out? Or they only use internal resources, thus not needing NAT? If there is a NAT rule to let this mobile users go out, can you confirm if the NAT is set to static, or dynamic ?

Thank you that resolved it. I didn't realize the IPSec NAT and the firewall NAT were the same. Thanks again.

Thought I'd put a final update into this as the working solution. After getting a couple of Cisco ASA 5506 units on site and creating exact copies of the IPSEC VPNs that I was having issues with, and running these test VPNs over other IP addresses on our twin internet links back to the firewall, I couldn't get the damn things to fail like the original links. They worked for a good couple of weeks without a dropped packet, even although I'd put the phase 1&2 settings to rekey every hour and half hour respectively in the hopes of generating enough debug traffic on both sides to see where the issue lay. Went back to the outside agency in question, presented them with my findings, to be told point blank again, that the fault was on our side. After a pretty gritted teeth conversation with their network admin, he let slip that their configuration had a data transfer limit on both VPNs, where it would rekey every 4Gb of traffic. This was the first I'd heard about it, the agreed VPN documentation didn't have this noted, and PfSense IPSEC configs didn't have this in there (I don't think the StrongSWAN version currently in use on PfSense has this as an option anyway). After insisting that this be removed, both VPNs haven't failed since. Cheers, Monty

This appears to be an MSS issue. I chnaged the index.html file down to a couple of words and the curl works. Will see if I can resolve by changing the MSS settings.

3 days of troubleshooting, you are a legend!! The issue was source/dest on the interface level (thought it was only on instance level). Thanks heaps - much appreciated!

https://docs.netgate.com/pfsense/en/latest/book/ipsec/index.html IPsec provides a standards-based VPN implementation that is compatible with a wide range of clients for mobile connectivity, and other firewalls and routers for site-to-site connectivity. pfSense is not designed to be used as a IPsec mobile client itself.

I tried it exactly as I guessed (and derelict too) and it worked. Thank you for your help!

With L2TP, it's completely up to the client to decide what traffic to send across. You need to configure the routes you want in the client itself.

@konstanti So... I replaced the SG-3100 with an XG-7100 today, setting up that side (site2) from scratch, and it now works as expected. IPsec tunnel speed is decent and no more packet loss. I can't see that I did anything differently, but I don't really have the time to look into it right now, if ever. Anyhow, thanks, again, for your time and input.

Many thanks

I figured out why my setup wasn't working. I had created Firewall rules under IPSec that allowed specific networks to connect to other specific networks. Once I created wildcard rules (anyone can talk to anyone on this interface), the IPSec tunnels started talking to each other and I was able to get FRR configured. Quagga OSPF wasn't working for me so I tried FRR and it worked fine.

OK, the solution is that in the failover security group, in the "Interface Address" field, I had to specify the VIP address. When I did this, then the right IP was showed in the config file.

Hi, the problem was solved by modifying, in phase 2, the protocol and Auth Methods as the one configured on pfsense were not compatible with those used on the fortigate. Thanks.

IPsec requires: UDP 500 UDP 4500 Protocol ESP You might or might not need protocol ESP based on NAT Traversal. Probably just want to post your NAT settings and WAN rules.