I have many S2S between pfSense & ASA.

Posting your configuration for both will help.

To get the ipsec configuration from pfsense run:
cat /var/etc/ipsec/ipsec.conf

In the ASA, look for it in your running config.

This is solved.
Turns out I didn't check "disable rekey" under the advanced config on the Phase 1 settings in pfsense.

It can be done but with a couple of caveats, the main problem is that you have to pretty much turn off the firewall over the tunnels (!!!) due to #4479

Also, strongSwan cannot currently establish 2 tunnels to the same destination IP from different interfaces (because the gateway selection is based on hidden static routes). To overcome this you can do the other way around, first GRE and then encrypt the tunnels (IPsec-over-GRE) or even set up another tunnel inside the other one.

Finally, you can use OSPF to handle the failover but beware there is a long going unresolved issue with Quagga in which some routes are incorrectly marked as kernel routes and never cleared on restart, rendering the configuration useless. You may have better luck with frr.

Two more points, remember to tweak MSS clamping appropriately to avoid performance issues, and also you can use GIF instead of GRE to save on some bytes.

You can also achieve all the same thing with OpenVPN + OSPF by the way.

Update - you were absolutely right! Switching DH groups fixed it. Wish I had spotted that, thank you!

At this point I've been having a conversation with myself on this topic but I'm determined to provide some valuable information to someone who will inevitably come across the same dilemma that I have.

So the past few nights I've been doing a lot of reading.  WAN Accelerators, alternate protocols etc.  Tonight I came across an article about transferring data across ipsec tunnels.  One of the items the author mentioned was different speeds using different protocols.  One of the protocols was http.  Hmm.  My NAS at home has a http front end and I remembered that it did some form of file transfer.  I gave it a shot, uploading a 17.7 gig rar archive in 3 minutes and 11 seconds.  Here's the tail end of the transfer:  As you can see, it achieved full line rate 100+ MBps

I see there are a number of windows programs out there allowing for http transfer.  Hopefully I can find a command line version or better yet some that might actually map a drive or at least allow me to send files to my NAS.  That would be super.  This could be just what I'm looking for to finally saturate my ipsec vpn for file transfer.  Sure beats a four thousand dollar WAN Accelerator.

Roveer

perhaps using captive portal somehow?  the tunnels can be automatic but no use of devices on any of the ports without portal authentication?  I've never used captive portal before… I'll have to go read up on it.

Whats the status about this?

IPsec requires forwarding of UDP 500, ESP, and maybe UDP 4500.

Ubiquiti's forum would be the best place to ask about what to do on the edgerouter.

@SpaceBass:

Is there a reason you'd want to to use the WAN connect? The effective bandwidth difference shouldn't be noticeable.

One way to force it to use the WAN is to block the port (32400) with a firewall rule between the VPN connections.

Make sure to open the port for the WAN connection too.

Your suggestion worked :-)

Many thanks

After upgrading to BlackBerry from 10.3.2 to 10.3.3. my vpn ikev2 connection (as described by TKenny on October 21, 2015, 11:34:40 pm) did not work anymore, although I did not change anything in the vpn setting (on BlackBerry or pfSense). Did get some authentication error, which I couldn't solve.

However, because I also had to upgrade my pfSense box from 32-bit to 64-bit in order to get the latest pfSense version, I tried again with my new acquired pfSense hardware box: just worked the first time after setting up pfSense and new vpn connection on BlackBerry.

So, just to confirm this set-up still works perfect (with BlackBerry 10.3.3 and pfSense 2.4.2)!

You'll need to use freeradius for user auth and hand out specific IP addresses to each user..

I hand out 172.16.9.0/25 for my own use, allowing me to access the internet + all my local LANS and 172.16.9.128/25  to friends so they can use UK based TV services when abroad, etc …

https://forum.pfsense.org/index.php?topic=129443.msg750980#msg750980

A typical user looks like this :-

"andy" Cleartext-Password := "XXXXXXXXX", Simultaneous-Use := "1"

Framed-IP-Address = 172.16.9.1,
Framed-IP-Netmask = 255.255.255.0,
Framed-Route = "0.0.0.0/0 172.16.0.1 1"

Untitled.png
Untitled.png_thumb

This was sorted after updating to 2.4.2.

I found the problem: under VPN -> IPsec -> Mobile Clients under 'Client Configuration', the 'Virtual Address Pool' has to be a completely different network address than the internal IP addresses I was using. This tip is on one of the how-to pages, and it looks like I overlooked a step. I also learned that there isn't a way yet to have the DHCP server assign IP addresses to VPN clients.

Its quite easy,  just configure your site to cisco template and then need to change some settings manually

Seems to be solved by disableing DPD on both sites, however don’t understand why….