Probably one of these. https://www.netgate.com/docs/pfsense/book/ipsec/choosing-configuration-options.html#authentication-method What VPS service are you connecting to? Directly to the service to the VPS? What is it if so? STeve

EAP-RADIUS is just EAP-MSCHAPv2 with RADIUS on the backend. If it doesn't work, the most likely problem is that our NPS config is not setup to allow EAP properly. See https://www.netgate.com/docs/pfsense/book/thirdparty/radius-authentication-with-windows-server.html#adding-a-network-policy for something to check against

@matt4542 Hey https://www.netgate.com/docs/pfsense/book/ipsec/mobile-ipsec.html https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClient Show Phase 1 IPSEC PFSense settings And Strongswan Android settings Pay attention to the selected text You don't have that in your logs. Dec 25 09:06:44 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Dec 25 09:06:44 00[DMN] Starting IKE service (strongSwan 5.7.1, Android 8.0.0 - ANE-LX1 8.0.0.162(C432)/2018-10-01, ANE-LX1 - HUAWEI/ANE-LX1/HUAWEI, Linux 4.4.23+, aarch64) Dec 25 09:06:44 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509 Dec 25 09:06:44 00[JOB] spawning 16 worker threads Dec 25 09:06:44 04[CFG] loaded user certificate 'C=ES, O=XXX, CN=sony_xperia.XXXXX' and private key Dec 25 09:06:45 04[IKE] initiating IKE_SA android[1] to 94.177.XXX.XXX Dec 25 09:06:45 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Dec 25 09:06:45 04[NET] sending packet: from 192.168.1.42[42086] to XXXX.XXXX[500] (716 bytes) Dec 25 09:06:45 09[NET] received packet: from 94.177.XXX.XXX[500] to 192.168.1.42[42086] (38 bytes) Dec 25 09:06:45 09[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] Dec 25 09:06:45 09[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048 Dec 25 09:06:45 09[IKE] initiating IKE_SA android[1] to 94.177.XXXX Dec 25 09:06:45 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Dec 25 09:06:45 09[NET] sending packet: from 192.168.1.42[42086] to 94.177.XXX[500] (908 bytes) Dec 25 09:06:45 10[NET] received packet: from 94.177.XXX[500] to 192.168.1.42[42086] (489 bytes) Dec 25 09:06:45 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ] Dec 25 09:06:45 10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 Dec 25 09:06:45 10[IKE] local host is behind NAT, sending keep alives Dec 25 09:06:45 10[IKE] received cert request for "C=ES, O=XXX, CN=XXX" Dec 25 09:06:45 10[IKE] sending cert request for "C=ES, O=XXX, CN=XXXX" Dec 25 09:06:45 10[IKE] establishing CHILD_SA android{1}

If one side supports routed IPsec and the other side only supports tunneled IPsec, then it can still work provided that you only attempt to send traffic that matches the P2 entries on the remote end. Anything else would fail.

@tresrob Hey Sorry for my English can you ping 192.168.0.1 from 192.168.50.0/24 ? And show the rules on lan of the pfsense b And rules on the opt1 pfsense A

@artemis At the time , too, wanted to go to study at Cisco engineer, but could not . Glad to have helped ))))) good Luck

Excellent news, always learn, I will check that once, thanks Derelict.

It depends on the context. pfSense can act as a "client" for site-to-site style connections using certificate-based auth, but it is not made to support a "mobile" or remote access style client setup where the server side sends configuration data such as the interface address to use.

I fixed it.. I put on IPSEC PHASE 2 > NAT BINAT IP 192.168.0.x/32 and LOCAL NETWORK 10.0.0.0/24 and REMOTE NETWORK 192.168.1.0/24 and then I made NAT 1:1 > 10.0.0.x > INTERNAL IP > 192.168.0.1 and made the rules on INTERFACES IPSEC and LAN. thank you.

It means that you cannot initiate pings from a source address that is not on the firewall itself. For instance, if you have a Phase 2 tunnel between a local network that is behind another router on your side and a network on the remote side, the firewall itself cannot generate an interesting ping to bring up a tunnel because it cannot ping sourced from an address that is not on the firewall. In that case you would have to generate a keepalive ping from the network interesting to IPsec.

They are rekeyed tunnels. They are harmless. They are kept around in case the other side sends traffic for the old SA, which sometimes happens with some IPsec implementations. They are visible there for the time between the rekey and the full lifetime expiration. Are you experiencing actual traffic flow issues or do you just not like to see them listed?

Thanks for that info. At least my memory about the fact that there was a problem is correct! I guess the only other comment is that, as noted by others in the ticket, the compression option is far from "little used'. Thanks again.

andreas, you can try what i did on this post and see if it helps to keep your tunnels established. i suspect you have little to no traffic on this link. Don't know if it will help in your particular case... but, i don't see why it wouldn't help a bit: https://forum.netgate.com/topic/138571/ipsec-tunnels-stop-passing-traffic ktbrown

I had the same issue with pfsense to pfsense ipsec tunnels showing connected but traffic wasn't passing. My particular problem was every few hours... not every week. Nothing in the configuration on both ends helped in P1 or P2 settings. I don't have tons of traffic on these tunnels... but, i wanted them to stay established for quicker response. Don't know if it will solve your issues or not... but, my work-around was to set the P2 "automatically ping host" to an ip on the remote end... which only pings every 4 minutes (by default) and change the default to 10 seconds. Seemed to be something with the tunnels timing out and re-establishing would eventually work (re-establish) after 1-2 minutes of continuous pings from a desktop. Solution (which i found on a separate issue on a separate post) was to change the ipsec P2 ping times from 4 minutes (240 sec) to 10 seconds to keep ipsec tunnels alive. And from what i have seen, ipsec tunnels have been stable (for a week). ** Careful with this... but, here's the steps i took. 1.) Go to Diagnostics / Edit File 2.) Click on "Browse" 3.) go to \etc directory 4.) Click on "Pfsense-rc" (in the root of etc) 5.) Add the following (you will find towards the bottom of the config file - about 1 page up): #Start ping handler every 240 seconds /usr/local/bin/minicron 240 $varrunpath/ping_hosts.pid /usr/local/bin/ping_hosts.sh Change that line to: #Start ping handler every 10 seconds /usr/local/bin/minicron 10 $varrunpath/ping_hosts.pid /usr/local/bin/ping_hosts.sh 6.) Save config 7.) reboot Note: if you upgrade the code, this file will most likely default back to the 240 seconds and will need to be changed again.

@kts-tec said in VPN IPSec - one site has a dynamic ip: On the lancom i can set the identifier to mail (fqun). I dont find a identifier on the pfsense for mail (fqun). Is it possible to use a fqun on the pfsense as identifier? I'm talking about the dyndns with the it department. In phase1, select my identifier, or peer identifier, and all options are there.

I did this so when I use OpenVPN I can also access other subnets I want that are connected with ipsec. On the PFSense I OpenVPN to, which is connected to all the ipsec tunnels, I add a phase 2 entry with local subnet of of OpenVPN eg. 10.0.10.0/24 and remote subnet of whatever is on other side. On the other side, I use the remote subnet of OpenVPN eg. 10.0.10.0/24. One site is an old Cisco RV042 I have a tunnel from my PFSense... so what I did was I added the phase 2 on PFSense, but had to create a new site to site VPN tunnel on the RV042 and just different settings for the phase 2, this is because I cannot add multiple phase 2 to VPN on RV042 - I am surprised that it worked.

Hi, Again!, I have a little question about the above configuration! I calculate mtu over ipsec tunnel and enable 'Enable MSS clamping on VPN traffic' with 1486 value! over the ipsec tunnel clinets can see 2 lans without any problem. but gre or l2tp/ipsec connection seems to have mtu problem. my clients on the remove lan uses windows l2tp/ipsec connection to connect to anther vlan on the main site over the Cisco-pf ipsec tunnel. but can not access some services like https or big object like images on http. it seems that mtu problem!? BTW, my ipsec tunnel on the cisco side runs over PPPoE connection. I set 'ip mtu' and 'ip tcp adjust-mss' in pppoe interface! Any help ?!

I did go to the 172 router and add a default route of the lower PFS... and it works, but there are a few PFS connected to each other off the lower PFS, all via OSPF. I didnt want to use static as if lower goes away, the static may blackhole and not use other ABR's.