@dotdash:

Check the other side and verify all the settings match. Verify the phase two ID's match.

The connection is established and stays established for phase 1 and 2.  If there was a mismatch, they wouldn't connect to begin with.  I have checked both sides many times and everything matches.

The link stays up, but if nothing is done over it, something happens that puts the link into a state where no traffic traverses over it.  Then, by attempting to connect to a database service on the other end, the link is woken up after about 30 - 60 seconds.

Well, i'm one more with the same problem.

First of all, PFsense 2.4.2, both sides with Group Gateway Failover, DDNS on Remote Gateway.

So, i'm reading a lot of articles and, … i'll test a single change at IPSEC configuration. VPN > IPSEC > Advanced Configuration > Configure Unique IDs as NO.

Why ? https://blog.bravi.org/?p=1209

I don't know if i misunderstood, but, i'll try this shot …

Switched to IKEv2, set AES-NI CPU Crypto: Yes (active) and all is good.
Encryption: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_384

@GroundX:

Upgraded to 2.3.4 still the same but under other settings:

Have this as well when IPSec turns instable/flapping. P2 seems stable but not P1.

Apr  3 16:34:45 FWstockholm charon: 07[KNL] <con1|19533>unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)
Apr  3 16:34:47 FWstockholm charon: 10[KNL] <con1|19533>unable to query SAD entry with SPI cf573dd5: No such file or directory (2)
Apr  3 16:34:47 FWstockholm charon: 10[KNL] <con1|19533>unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)
Apr  3 16:34:49 FWstockholm charon: 15[KNL] <con1|19533>unable to query SAD entry with SPI cf573dd5: No such file or directory (2)
Apr  3 16:34:49 FWstockholm charon: 15[KNL] <con1|19533>unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)
Apr  3 16:34:50 FWstockholm charon: 13[KNL] <con1|19533>unable to query SAD entry with SPI cf573dd5: No such file or directory (2)
Apr  3 16:34:50 FWstockholm charon: 13[KNL] <con1|19533>unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)
Apr  3 16:34:55 FWstockholm charon: 10[KNL] <con1|19533>unable to query SAD entry with SPI cf573dd5: No such file or directory (2)
Apr  3 16:34:55 FWstockholm charon: 10[KNL] <con1|19533>unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)

This to a Cisco ASA with IKEv2.

Have two tunnels on the specific pfSense firewall, one to the above Cisco ASA and another one to a pfSense-box. The last one is solid!</con1|19533></con1|19533></con1|19533></con1|19533></con1|19533></con1|19533></con1|19533></con1|19533></con1|19533>

2.3.4 is stable or not?

@jcasanellas:

Hello I have the same problem, but only with a tunnel I have 6 running and only one fails me.

Attachment capture error.

I hope your answer

Thank you

That devices on the other side?

UDP is needed for DNS lookup.

Easiest to just set it for any (if your IPSEC clients are trusted of course)

Can you please provide any screenshots of logs and can you please provide the configs that you have done for p1 and p2 of IPSEC Tab. Just the HTTPS traffic are not working?

Did you already create a port forward rule on wan that opens UDP Port 5060-5080 and RTP port 10000 - 20000? It is required for the VOIP to work on. Also I noticed that subnet of your LAN and WAN that you have configured for your pfsense is the same subnet. Did you already tried to change the network of your LAN? Try to make it 172.xx.xx.xx or any private IP Address that is different from your WAN Subnet.

Hope this can help you

Hi Hoe,

Please be inform that my issues has been resolved now. I have do the following methods.

1. Change the Firewall Optimization Options to "Conservative" on System > Advanced > Firewall & NAT (PFsense Side)

2. "Unchecked" the Clean Up Active tunnels when Peer Gateway DNS name resolved to different IP Address (Sonicwall Side)

3. Unchecked everything except for "Enable Keep Alive" on the advanced settings of the vpn setup on Sonicwall.

Please refer on the attached screenshot as reference.

1.png
1.png_thumb
2.png
2.png_thumb
3.png
3.png_thumb

For the details of the Windows VPN Client settings have a look here:
https://wiki.strongswan.org/projects/strongswan/wiki/Windows7

By me phase 1 could not be finished on IPv6 single stack VPN on pfSense 2.4.2-p1 if the host was behind another firewall:

https://forum.pfsense.org/index.php?topic=145581.0

It is possibly as long as only one side need to be able to "open" the tunnel, much like in Mobile Client setup. With IKEv1 you need "aggressive" Mode at least with PSK, with IKEv2 you simply have to use a ID other the the IP address.