OpenVPN will be a lot more flexible for that.

That's because you cannot policy route IPsec like you can OpenVPN.

You might be able to use a phase 2 of 10.47.5.0/24 <-> 0.0.0.0/0 with the reciprocal on the other side, but OpenVPN is a lot more flexible in this regard.

I think we want to do the same thing ish
https://forum.pfsense.org/index.php?topic=144475.0

Windows clients use 3DES for the encryption, use 3DES in the phase 1 of the IPSec tunnel instead of AES.

Source:
https://support.microsoft.com/en-ca/help/325158/default-encryption-settings-for-the-microsoft-l2tp-ipsec-virtual-priva

Thanks Buddy

Firewall rules on the IPsec tab on pfSense?

I have the same problem right now…all works until they start dropping like flies and won't reconnect!

That worked!!! Thank you very much.

@shpokas:

I fixed the DNS issue on OS X and IOS by using Apple Configurator to create VPN profile and manually adding DNS section in it.
Here's how to do it: https://lists.strongswan.org/pipermail/users/2015-October/008842.html

This is definitely the key for split DNS with macOS and iOS!  More details can be found in Apple's Configuration Profile Reference https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-SW612
Look for the DNS Dictionary Keys section and it explains the use of SupplementalMatchDomains to control spilt DNS.  Not sure why this isn't available from the Configuration GUI, but… there you go.

Answered my own question.  Below groups are effective permissions, you can add the permission to that for IPSEC Xauth dialin.

Hey,

I eventually (this friday) gave up. I even tried running openVPN on the USG directly (command line) which worked but the transfer speed was abyssmal slow. I installed a tiny Intel NUC (12 Watt) that does OpenVPN just fine with the pfsense. Even with double-Nat :)

-Chris.

Thanks for the reply!
I'm checking those tabs, and I only see the remote public IP, not the local IP that the client is receiving from pfsense.
The scenario is, I'm rolling this out to a company of multiple users, and I would like to be able to identify each client on the router, but it seems like that info is obfuscated from me at this point.
Appreciate your help!

One more part –

Feb 7 14:07:00 charon 13[NET] <con1000|3>sending packet: from 172.16.200.20[500] to xxx.xxxx.xxx.x[500] (180 bytes) Feb 7 14:07:00 charon 13[NET] <con1000|3>received packet: from xxx.xxx.xxx.x[500] to 172.16.200.20[500] (160 bytes) Feb 7 14:07:00 charon 13[ENC] <con1000|3>parsed ID_PROT response 0 [ SA V V V V ] Feb 7 14:07:00 charon 13[IKE] <con1000|3>received XAuth vendor ID Feb 7 14:07:00 charon 13[IKE] <con1000|3>received DPD vendor ID Feb 7 14:07:00 charon 13[IKE] <con1000|3>received FRAGMENTATION vendor ID Feb 7 14:07:00 charon 13[IKE] <con1000|3>received NAT-T (RFC 3947) vendor ID Feb 7 14:07:00 charon 13[ENC] <con1000|3>generating ID_PROT request 0 [ KE No NAT-D NAT-D ] Feb 7 14:07:00 charon 13[NET] <con1000|3>sending packet: from 172.16.200.20[500] to xxx.xxxx.xxx.x[500] (244 bytes) Feb 7 14:07:00 charon 13[NET] <con1000|3>received packet: from xxx.xxx.xxx.x[500] to 172.16.200.20[500] (244 bytes) Feb 7 14:07:00 charon 13[ENC] <con1000|3>parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] Feb 7 14:07:00 charon 13[IKE] <con1000|3>local host is behind NAT, sending keep alives Feb 7 14:07:00 charon 13[ENC] <con1000|3>generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] Feb 7 14:07:00 charon 13[NET] <con1000|3>sending packet: from 172.16.200.20[4500] to xxx.xxx.xxx.x[4500] (108 bytes) Feb 7 14:07:01 charon 13[NET] <con1000|3>received packet: from xxx.xxx.xxx.x[4500] to 172.16.200.20[4500] (92 bytes) Feb 7 14:07:01 charon 13[ENC] <con1000|3>parsed INFORMATIONAL_V1 request 907020096 [ HASH N(AUTH_FAILED) ] Feb 7 14:07:01 charon 13[IKE] <con1000|3>received AUTHENTICATION_FAILED error notify Feb 7 14:09:19 charon 00[DMN] signal of type SIGINT received. Shutting down</con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3>