Yeah. IPsec doesn't behave like that. You should probably start by posting what you have done, not a representation of what you think you have done. Post ALL of the traffic selectors. Not just a few. How do you know what "tunnel" the traffic is being sent on?

No. In the IPsec Phase 2. Just like here: https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2#Phase_2

got it fixed.  missing nat rule on PFA from internet to 10.253.253.0/24 network

Problem solved! Now i can connect my pfsense box as a client to my SoftEther server. The problem was the latest (RTM) Version of SoftEther server, which seems to have an issue with OpenVPN. After installing an earlier version, everything is working as expected.

@Derelict: Probably no and not that I know of. Make your IPsec connection from behind the firewall or use an OpenVPN provider. Thank you, I'll do that.

jcconnell did you ever get this resolved? I am having the the same issue as you are having and all my networks are setup properly. Let me know!

Hello on your phase 2 entire do you have 192.168.2.0/24 and 192.168.3.0/24 setup? or are you doing 192.168.0.0/16? Thanks

Sorry for delay! So I tested it on my end, the 2 tunnel goes up, but if I unplug one of my remote WAN port, the tunnel doesn'T switch to the other one (even if the tunnel is up…) I configure the DPD (dead peer detection), 5 sec for 5 poll, to disconnect the tunnel, it doesn't work... I am not sure if it is possible.. I guess the only way would be to setup a DynDNS or NO-IP on the remote firewall so they can update the IP between the active ISP. But IMO, it is not a good solution for a large enterprise, as in my experience, for me, SOnicwall and DynDNS is scrap, no-ip works okay but I do prefer using a direct IP

Looks like others are affected too : https://redmine.pfsense.org/issues/7801 Any chance to get fragmented UDP across IPSEC Tunnels with pfSense??

I don't think there is any reason for the P1 to even attempt a connection without a P2. There is no interesting traffic in that case. There are no connection attempts in the logs you posted. I would config a P2 and try again.

The lookups are sourced from Virt.Publ.IP because I have only one Publ.IP on IPSec-Site2 and the Ports are already in use (and I cant Change!). On Site1 I have several Publ.IP-Adresses free to use. I put the Settings of the document, but not successful. Checked Tunnel again and ist working fine in both directions. Is there anybody who did something like that already?

You need to route the correct traffic from the VPC to the VGW in AWS. Traffic from the pfSense side is sent to the VPN according to the traffic selectors (phase 2 networks).

Hello Got it to work. :) EAP-Radius means that the VPN Server will send the Authentification to the FreeRadius Server (That was not clear for me). So i can use now EAP-TLS and EAP-MSCHAPV2 with Freeradius at the same Time. Thanks Regards Alitai