Sorry for delay!

So I tested it on my end, the 2 tunnel goes up, but if I unplug one of my remote WAN port, the tunnel doesn'T switch to the other one (even if the tunnel is up…)

I configure the DPD (dead peer detection), 5 sec for 5 poll, to disconnect the tunnel, it doesn't work... I am not sure if it is possible..

I guess the only way would be to setup a DynDNS or NO-IP on the remote firewall so they can update the IP between the active ISP. But IMO, it is not a good solution for a large enterprise, as in my experience, for me, SOnicwall and DynDNS is scrap, no-ip works okay but I do prefer using a direct IP

Looks like others are affected too : https://redmine.pfsense.org/issues/7801

Any chance to get fragmented UDP across IPSEC Tunnels with pfSense??

I don't think there is any reason for the P1 to even attempt a connection without a P2. There is no interesting traffic in that case.

There are no connection attempts in the logs you posted.

I would config a P2 and try again.

The lookups are sourced from Virt.Publ.IP because I have only one Publ.IP on IPSec-Site2 and the Ports are already in use (and I cant Change!).
On Site1 I have several Publ.IP-Adresses free to use.

I put the Settings of the document, but not successful.
Checked Tunnel again and ist working fine in both directions.

Is there anybody who did something like that already?

You need to route the correct traffic from the VPC to the VGW in AWS.

Traffic from the pfSense side is sent to the VPN according to the traffic selectors (phase 2 networks).

Hello

Got it to work. :)

EAP-Radius means that the VPN Server will send the Authentification to the FreeRadius Server (That was not clear for me).

So i can use now EAP-TLS and EAP-MSCHAPV2 with Freeradius at the same Time.

Thanks

Regards
Alitai

Sorry to dig up an old post, but I was wondering if you ever found a solution? I have have an ongoing problem very similar to yours and like you discovered, it only seems to affect my systems that are running 2.4.2 or later.

Link to previously created thread.
https://forum.pfsense.org/index.php?topic=143728.0

It seems to be a regular win10 IPv6 VPN client problem. Maybe it should be solved by using link-local addresses on IPsec interface.

For now I have solved the problem by creating a power shell script to create a windows VPN connection definition. The script adds route ::/0->::

Add-VpnConnectionRoute -ConnectionName $connection_name -DestinationPrefix ::/1 Add-VpnConnectionRoute -ConnectionName $connection_name -DestinationPrefix 8000::/1

The Add-VpnConnectionRoute cmdlet does not allow to manipulate with ::/0 , this is why there are two routes, for ::/1 and for 8000::/1

And how are you, who already uses IPsec on IPv6, working with client routes? Are they automatically created? Do you use link-local addresses on IPsec interface?

Its ok I figured it out…didn't have the correct rule on the IPSec Rules for the firewall...all good now thanks

Double check that you are using IKEv2 on both ends. This looks like IKEv1 with UDP Port 500 :
Mar 5 16:36:52 charon 16[NET] <1> sending packet: from 78.94.x.x[500] to 80.187.96.197[500] (337 bytes)

We have this setup for small remote officers (about 10 to 15 users at each office)

You just want to make a IPSEC tunnel from A to B, A to C, A to D and so on.

I would test it with:
IKEv1
Mutual PSK and Pre-Shared Key
AES 128 bits
SHA1 - DH 2

AES 128 bits
SHA1
PFS key 2

@TMSUnited:

I have a Draytek 2860 connected to pfsense on 1and1 cloud.  I can establish a connection and the network performs as expected.  However, even though I have set the time out in Phase 1 & 2 to 86400 the connection drops after 59 minutes.

I also tried setting up a ping xxx…. -t from both ends but this didn't keep the connection alive.  the Draytek is set to keep alive so it looks like Phase 2 is forcing this to drop after an hour.  The Draytek is set up to Dial in only.

pfsesne is 2.4.2

I see quite a few issues with IPSEC so wondering if this is a psfense bug.  I used a 1.x version before and the connection was faultless for years.

Thanks

Do you have a "Automatically ping host" setup on phase 2?

I'm very new to this but I had the same issues connecting my Draytek 2860.

With 2.4.2 I tried with two colleagues to connect with various combinations and in the end it only seemed to work on IKV2 with 3DES on G2 for phase 1 and 3DES_MD5 for phase 2.  In the end Draytek support solved the issue.  You may find it is different for ZyXel.

@ikkuranus:

Are you aware that 192.0.0.1-192.167.255.255 are public addresses and shouldn't be used for private use unless assigned to you by your ISP? 192.1.x.x and 192.2.x.x fall into that range.

Yes I am aware ;)

Its all working now with the setup we need.

Thank You

From your "diagram", they are the ones who have to NAT.

What is the IPsec access list on the ASA side?

What is the phase 2 defined on your side (including any NAT if present there) ?

SOLVED

I forgot to add firewall rules
firewall->rules->ipsec:
add rule to allow traff from ASA-side to LAN

I have logged into the router at the other end, and it has almost the same messages (over & over) in the IPSEC log:

Mar 6 16:30:12 charon 05[KNL] creating acquire job for policy 223.252.22.77/32|/0 === 203.49.236.246/32|/0 with reqid {3}
Mar 6 16:30:12 charon 05[KNL] creating acquire job for policy 223.252.22.77/32|/0 === 203.49.236.246/32|/0 with reqid {3}
Mar 6 16:30:12 charon 06[CFG] ignoring acquire, connection attempt pending
Mar 6 16:30:12 charon 06[CFG] ignoring acquire, connection attempt pending
Mar 6 16:30:14 charon 06[KNL] creating acquire job for policy 223.252.22.77/32|/0 === 203.49.236.246/32|/0 with reqid {3}
Mar 6 16:30:14 charon 06[KNL] creating acquire job for policy 223.252.22.77/32|/0 === 203.49.236.246/32|/0 with reqid {3}
Mar 6 16:30:14 charon 13[CFG] ignoring acquire, connection attempt pending
Mar 6 16:30:14 charon 13[CFG] ignoring acquire, connection attempt pending
Mar 6 16:30:17 charon 06[KNL] creating acquire job for policy 223.252.22.77/32|/0 === 203.49.236.246/32|/0 with reqid {3}
Mar 6 16:30:17 charon 06[KNL] creating acquire job for policy 223.252.22.77/32|/0 === 203.49.236.246/32|/0 with reqid {3}
Mar 6 16:30:17 charon 05[CFG] ignoring acquire, connection attempt pending
Mar 6 16:30:17 charon 05[CFG] ignoring acquire, connection attempt pending

Maybe I need to change the level of logging?
Or need to look at a different log?

Also in the IPSEC Status screen I can see the connecting trying twice in parallel (see attached image)

IPSEC_Status.JPG
IPSEC_Status.JPG_thumb

Thanks for the quick reply!

I have tried wide open (ip any any) rules on both the ipsec interface and the LAN interface, and tested initiating connections in both directions.  It would always allow in to enc0 but "default deny out" of enc0.  I will setup to test again and get some state info and captures on the interfaces and post the results here.  It may take a couple days to get time to do so.