I can't comment on your specific case, but here are a few things I did (they may work for you, or they may make things worse!)… system > advanced > networking > all hardware offloading options: tick (disable) vpn > ipsec > advanced settings > enable maximum mss: tick vpn > ipsec > advanced settings > maximum mss: 1400 vpn > ipsec > advanced settings > make before break: tick vpn > ipsec > tunnels > edit phase 1 > disable rekey: untick vpn > ipsec > tunnels > edit phase 1 > margintime: 60 vpn > ipsec > tunnels > edit phase 2 > pfs key group: off vpn > ipsec > tunnels > edit phase 2 > automatically ping host: ip within remote subnet Good luck, and take a backup first.

OK, thanks for that. Are you aware of anything that will do what I'm after?

The following works for me after doing step 1 "test-user" Cleartext-Password := "XXXXXXXXXXXXXXX", Simultaneous-Use := "1", Expiration := "Jan 01 2020", NAS-Identifier == strongSwan Framed-IP-Address = 172.16.9.254, Framed-IP-Netmask = 255.255.255.0, Framed-Route = "0.0.0.0/0 172.16.0.1 1", Remember the Simultaneous-Use := "1" if your giving them a fixed IP. https://forum.pfsense.org/index.php?topic=130715.0

Thnx for the tip. For now I can ping to both sides (network devices like AP's). i am still not able to ping windows hosts on the remote side. it looks like this problem: https://superuser.com/questions/1087392/windows-firewall-blocking-ssh-to-secondary-subnet?noredirect=1&lq=1 The windows firewall is disabled. To be sure i've added the any to any rule but without success. The ping is arriving on the remote side (LAN interface) but i think windows is not responding because the traffic comes from an different subnet. isn't it easier to translate the traffic to the local subnet on both sides?

Of Course you right it is totally my mistake :) it should be in WAN2 ….. thanks a billion.

Well….I'm at a loss. I'm now testing from hosts behind pfSense (vs between pfSense boxes themselves). I thought I had a breakthrough when I found aes-ni disabled in Advanced but realized that was a troubleshooting tip here :) MTU is back to defaults, no MSS clamping, using IKE2.... Both boxes also have OpenVPN tunnels to other boxes but the average load is like 1mbs. Without the tunnel, I easily get 230-250mbs. With the tunnel (and new since my original post gig wan line) I get 30-50mbs. Xeon on one side* and SH-4860 on the other. Neither CPU spikes above 30-40%. I tried recreating the P1 and P2 tunnels - no change. I failed to mention... the Xeon is pfSense running as a VM on Proxmox 5. It's the only VM, the CPU type is host, it has 16gb of ram allocated and direct disk access. So it's basically as close to the bare metal as it can be. But if anyone has any tips related to Prox and aes performance, lay em on me!

I don't think the logs you posted are relevant to your issue, they seem to be discarded packets for expired connections or something else. What side are you attempting to connect to and from? I didn't get that clear. The rules on your pfSense local side look fine. If you are trying to connect from the local side to the remote and it fails, it may be a misconfig on the Fortinet side

IPsec policies have routing preference over everything on the system (pretty much). If you create a tunnel with destination 0.0.0.0/0, the tunnel goes up and something is misconfigured, I guess you wouldn't get internet access at all instead of getting routed through the regular WAN. Post your detailed configuration

@PhYrE: DH group 5 and group 14 was tested as well but is not recommended. Commentary on the DH groups is provided by:   https://supportforums.cisco.com/t5/security-documents/diffie-hellman-groups/ta-p/3147010 This chart from strongSwan is a bit more informative and has better info than that post: https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites#Diffie-Hellman-Groups

@dotdash: Check the other side and verify all the settings match. Verify the phase two ID's match. The connection is established and stays established for phase 1 and 2.  If there was a mismatch, they wouldn't connect to begin with.  I have checked both sides many times and everything matches. The link stays up, but if nothing is done over it, something happens that puts the link into a state where no traffic traverses over it.  Then, by attempting to connect to a database service on the other end, the link is woken up after about 30 - 60 seconds.

Well, i'm one more with the same problem. First of all, PFsense 2.4.2, both sides with Group Gateway Failover, DDNS on Remote Gateway. So, i'm reading a lot of articles and, … i'll test a single change at IPSEC configuration. VPN > IPSEC > Advanced Configuration > Configure Unique IDs as NO. Why ? https://blog.bravi.org/?p=1209 I don't know if i misunderstood, but, i'll try this shot …

Switched to IKEv2, set AES-NI CPU Crypto: Yes (active) and all is good. Encryption: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_384

@GroundX: Upgraded to 2.3.4 still the same but under other settings: Have this as well when IPSec turns instable/flapping. P2 seems stable but not P1. Apr  3 16:34:45 FWstockholm charon: 07[KNL] <con1|19533>unable to query SAD entry with SPI cb9b98b3: No such file or directory (2) Apr  3 16:34:47 FWstockholm charon: 10[KNL] <con1|19533>unable to query SAD entry with SPI cf573dd5: No such file or directory (2) Apr  3 16:34:47 FWstockholm charon: 10[KNL] <con1|19533>unable to query SAD entry with SPI cb9b98b3: No such file or directory (2) Apr  3 16:34:49 FWstockholm charon: 15[KNL] <con1|19533>unable to query SAD entry with SPI cf573dd5: No such file or directory (2) Apr  3 16:34:49 FWstockholm charon: 15[KNL] <con1|19533>unable to query SAD entry with SPI cb9b98b3: No such file or directory (2) Apr  3 16:34:50 FWstockholm charon: 13[KNL] <con1|19533>unable to query SAD entry with SPI cf573dd5: No such file or directory (2) Apr  3 16:34:50 FWstockholm charon: 13[KNL] <con1|19533>unable to query SAD entry with SPI cb9b98b3: No such file or directory (2) Apr  3 16:34:55 FWstockholm charon: 10[KNL] <con1|19533>unable to query SAD entry with SPI cf573dd5: No such file or directory (2) Apr  3 16:34:55 FWstockholm charon: 10[KNL] <con1|19533>unable to query SAD entry with SPI cb9b98b3: No such file or directory (2) This to a Cisco ASA with IKEv2. Have two tunnels on the specific pfSense firewall, one to the above Cisco ASA and another one to a pfSense-box. The last one is solid!</con1|19533></con1|19533></con1|19533></con1|19533></con1|19533></con1|19533></con1|19533></con1|19533></con1|19533> 2.3.4 is stable or not?

@jcasanellas: Hello I have the same problem, but only with a tunnel I have 6 running and only one fails me. Attachment capture error. I hope your answer Thank you That devices on the other side?

UDP is needed for DNS lookup. Easiest to just set it for any (if your IPSEC clients are trusted of course)

Can you please provide any screenshots of logs and can you please provide the configs that you have done for p1 and p2 of IPSEC Tab. Just the HTTPS traffic are not working?