So after changing Phase 2 lifetime to 86400, the connection is staying up, after the one hour mark passed. So the question is now, I believe, how can I ensure that Phase 2 key renegotiating succeeds every hour?

I just setup a 3rd side and I can't access my warehouse side with any application that some of my equipment need. Like POWER ALERT software for TRIPP LITE PDUs. when I use firefox to access any of my PDUs there is no problem, but when I use POWER ALERT to manage any of my pdus or remote desktop to access any of my warehouse windows servers I also can't make a connection I disabled the windows 10 firewall and my bitdefender firewall and windows server firewall to see if it is the firewall problem but it wasn't. this time I have state from 3rd location to the warehouse side and back. I attached the rules of my both sides I have to fix that because my work depend on it

Thank you

ipsec-bs.jpg
ipsec-bs.jpg_thumb
ipsec-eg.jpg
ipsec-eg.jpg_thumb
ipsec-rules-bs.jpg
ipsec-rules-bs.jpg_thumb
ipsec-rules-eg.jpg
ipsec-rules-eg.jpg_thumb
ipsec-wan-rule-bs.jpg
ipsec-wan-rule-bs.jpg_thumb
ipsec-wan-rule-eg.jpg
ipsec-wan-rule-eg.jpg_thumb
lan-rules-bs.jpg
lan-rules-bs.jpg_thumb
lan-rules-eg.jpg
lan-rules-eg.jpg_thumb

Hi i use openvpn gui. Please write me exactly the commands and in which router to enter them or through scratch images show me in which menu exactly how to introduce you I beseech you

Better question for a windows forum or your windows domain admin.

Thanks Derelict - I've switched over to DH14 and managed to spin up a MacOS Sierra install on VMware Workstation to create the proper VPN profile.  All working now after modifying the registry on Windows 10 and using StrongSWAN on Android.

Much appreciated.

I did figure it out.

I have created a "LANGATWAY" that is my pfsense LAN interface IP adress (192.170.0.1) then i have created a static route Azure virtual network via "LANGATEWAY"

Gateway

Name Interface Gateway Monitor IP Description Actions
LANGATEWAY LANIPV4 192.170.0.1 192.170.0.1 Lan gateway

Static Routes

192.168.48.0/20 LANGATEWAY - 192.170.0.1 LANIPV4

Hope this will help others that will face same issue.

Nobody an idea?

The original post was spam, Split this off and moved to IPSec.

Steve

Hey gang - just a quick check in to see if anyone has experience with IPsec and LDAP or tips on where to start troubleshooting?

Hi,

I have found out what file the strongswan.conf is assembled. It is the /etc/inc/vpn.inc.

Best regards
Tino

seems so, i have the same issue. the patch posted above cannot be applied. i have multiple p2 configured lan, wlan, dmz. i can only access lan subnet. and i have no idea why. i don't even know if my problem is related to this topic.

I have done it like below (full testing was not possible) and it seems to work:

http://zee.linxsol.com/system-administration/pfsense-2-site-to-site-vpn-with-dell-sonicwall-nsa-3500.html

I have put in some additional rules on the WAN Interface, see screenshot.

Rules_IPSEC.JPG
Rules_IPSEC.JPG_thumb

I did think that if it worked it would break all routing.

It was a long shot, as i thought each interface would have it's own routing table, so i could have

192.168.1.0 <<ipsec a="" nailed="" to="">> 123.123.123.120 <<lan to="">> 10.0.0.0 <<routing rule="" for="" outbound="" ipsec="" a="">>
192.168.1.0 <<ipsec b="" nailed="" to="">> 123.123.123.121 <<lan to="">> 10.0.1.0 <<routing rule="" for="" outbound="" ipsec="" b="">>
192.168.1.0 <<ipsec c="" nailed="" to="">> 123.123.123.122 <<lan to="">> 10.0.2.0 <<routing rule="" for="" outbound="" ipsec="" c="">>

All on one pfsense firewall with each</routing></lan></ipsec></routing></lan></ipsec></routing></lan></ipsec>

While I have been stalling for days, I have made some progress on the issue tonight.

It seems the problem is related to the UDP sessions timeouts. Because I have some VOIP phones and their sessions were expiring, I had to set the firewall optimization options to "conservative", thus my UDP states were taking someting between 300 to 900 seconds to expire. And L2TP/Ipsec is UDP traffic as well, making me beleive that was a concurrent session problem.

Now that I have set the firewall optimization options back to "normal", and adjusted the specific timeout of udp states to a much shorter delay than "conservative", but longer delay than "normal", I am able to connect l2tp sessions much more frequently and sometimes concurrently. The wait penalty is still painfull though. And my phones seem to remain online so far.

I know the best option would be to shorten the SIP phones polling interval and let the UDP state delay to normal, but my VOIP provider has locked this control on the phones, so it is complicate.

An ideal solution would be to be able to tune the following properties inside firewall rules if there is a match : UDP First, UDP Single, UDP Multiple.
This way, it would be possible to increase the UDP state timeout only for the VOIP traffic, but I don't know if it is doable at low level.
There exists a state timeout setting in the advanced firewall rules GUI, but unfortunately it is for TCP only.

Yea working a treat thanks dude.

I was missing the static routes and the Framed-Route = "0.0.0.0/0 172.16.0.1 1"

I've split my 172.16.9.0/24 into 2 /25s blocks the first /25 has full access everywhere the second /25 internet only.