Nothing special about them, just adding another host or network to the tunnel.  I haven't stopped and started the IPSEC service, just used the icon that shows restart service.  We'll try that.

This config has been running around 7 years and this behavior started around 2 years ago.

The issue was down to a bug with the modem from our ISP fragmenting packets. New ISP, problem solved!

So I'm the dummy, as expected.

Setting is found in the VPN adapter on the Windows side:

VPN Adapter Properties –> Networking --> Select TCP/IPv4 Properties --> Advanced --> Uncheck "Use default gateway on remote network"

Hope this helps a few other dummies out there!

I can't fix this mismatch, any help?

Use check box in P1:  Enable this to split connection entries with multiple phase 2 configurations. Required for remote endpoints that support only a single traffic selector per child SA.

This is possible with both DrayTek and pfSense, however I assume by now you have resolved the issue!

push :X

I'm really not a VoIP guru, but whenever I have this behavior (calls dropped after a time-out), it is when there is a wrong NAT behavior somewhere.  The PBX side would be receiving packets where the source IP at network & transport layer doesn't match the IP declared at the SIP application layer
Could it be that it was working before because your PBX setting was "easy" and therefore you were not noticing this NAT issue?
Can you check on the PBX to see the source IPs of the stations registering, and check the tables for the registered extensions, and see if there is a match?

I've done OpenVPN to NordVPN (I've even played around with 4 tunnels and load-balancing on the 4 tunnels)

But haven't been able to configure IKEv2 towards NordVPN.  I read the guides you mentionned, but from what I read, MSCHAP can be configured for an IKEv2 server on pfSense, not an IKEv2 client on pfSense.  The guide on IKEv2 that you linked to is written for a IKEv2 server on pfSense, and remote clients like IOS or Android.

Here's what I did:

download root certificate from NordVPN convert to PEM format import as a CA in System->Certificate Go to VPN->IPSec and setup a sit to site tunnel.
However, in the authentication box, either I see "Shared PSK" or "RSA"
I have tried both settings, selecting the Root NordVPN cert for the remote in the "RSA" mode, or using my NordVPN password as the pre-shared-key when in "PSK" more
When I go to the status page, and click "connect", it goes back to the "disconnected" state almost instantly.  When I check the logs, I keep getting an authentication failed reply from the NordVPN server.

I might be missing something, though  :o

My goal is the network from Site A (10.1.1.x/24) able to reach the network at Site C (10.3.3.x/24) regardless the traffic from A will be NAT to site B and will carry the IP Site B (10.2.2.x/24) instead. Also the same for Site C whereby it will carry the Site B IP in order to communicate with network on Site A.

Site A (10.1.1.x/24)<–---------> Site B (10.2.2.x/24) <-----------> Site C (10.3.3.x/24)
                              IPSEC & NAT                              IPSEC & NAT

Probably the above illustration perhaps may give you some idea. Thank you in advance.