Had a look at the file /usr/local/etc/strongswan.conf using

grep "28675" strongswan.conf | hexdump -C

and it looks like it just puts a newline at the end of the line so can't imagine this is a pfsense bug.

00000040  4c 45 41 56 45 4d 45 48  45 52 45 0a              |LEAVEMEHERE.|
0000004c

Any suggestions to try and work out where the bug is ?

Because we don't want to use certificates on clients like iOS. Authentication should be based on Windows AD only.

When we need to use certificates, we can also use OpenVPN which we are testing at the moment. But also there I got stuck, cause I can't reach devices in LAN, but I created a post in the OpenVPN category for that case.

Could you elaborate on your question?

Trust me, I've been fed up about ten trillion times too ( ;) ) but - HAProxy aside (which I don't use nor know about), I have W7 and Android too, and it is doable, even easy, if only the documentation were a little bit clearer. I can try to help you.

After some digging, I would say this is rather a NAT/routing issue than IPSec.

Installing one more PfSense lets call it PF2 and the original PF1.

Settings as follows:
PF1(LAN): 10.0.1.1
PF1(OPT1): 10.0.2.1
PF1(WAN): x.x.x.x

PF2(LAN): 10.0.1.2
PF2(WAN): 10.0.2.2 (gw: 10.0.2.1) (the OPT1 on PF1)

On PF1 adding static route to Remote subnet (192.168.0.0/16) with gw to 10.0.1.2 (PF2).
I'am able to access remote subnet from LAN on PF1.

So accessing remote lan from PF1 LAN route is:
PF1(LAN) –> PF2(LAN) --> PF2(WAN) --> PF1(OPT1) --> IpSec tunnel

Everything is working as expected but doesn't seem right, is there a way to achieve the same functionality without involving PF2 ?

I was also able to make it work with an OpenVPN server with /28 subnet, I could NAT on IpSec phase2 so OVPN clients access remote LAN, but not from LAN directly.

Best regards.

Well, you need the reciprocal phase 2 entry.

Today we had another disruption preceded by a lot of these log entries:

2017-08-29 08:29:55,Daemon.Info,10.3.1.2,Aug 29 08:29:55 charon: 13[ENC] <con2000|5> generating INFORMATIONAL_V1 request 817940652 [ HASH N(INVAL_HASH) ] 2017-08-29 08:29:55,Daemon.Info,10.3.1.2,Aug 29 08:29:55 charon: 13[NET] <con2000|5> sending packet: from *.*.*.254[500] to *.*.*.66[500] (76 bytes) 2017-08-29 08:29:55,Daemon.Info,10.3.1.2,Aug 29 08:29:55 charon: 13[IKE] <con2000|5> QUICK_MODE request with message ID 1339927066 processing failed 2017-08-29 08:29:59,Daemon.Info,10.3.1.2,Aug 29 08:29:59 charon: 13[NET] <con2000|5> received packet: from *.*.*.66[500] to *.*.*.254[500] (172 bytes) 2017-08-29 08:29:59,Daemon.Info,10.3.1.2,"Aug 29 08:29:59 charon: 13[IKE] <con2000|5> received retransmit of request with ID 2091090257, but no response to retransmit" 2017-08-29 08:30:03,Daemon.Info,10.3.1.2,Aug 29 08:30:03 charon: 13[NET] <con2000|5> received packet: from *.*.*.66[500] to *.*.*.254[500] (172 bytes) 2017-08-29 08:30:03,Daemon.Info,10.3.1.2,Aug 29 08:30:03 charon: 13[ENC] <con2000|5> parsed QUICK_MODE request 1339927066 [ HASH SA No ID ID ] 2017-08-29 08:30:03,Daemon.Info,10.3.1.2,Aug 29 08:30:03 charon: 13[ENC] <con2000|5> received HASH payload does not match 2017-08-29 08:30:03,Daemon.Info,10.3.1.2,Aug 29 08:30:03 charon: 13[IKE] <con2000|5> integrity check failed</con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5>

Other log entries that looked suspicious are:

2017-08-29 08:40:39,Daemon.Info,10.3.1.2,Aug 29 08:40:39 charon: 14[ENC] <con2000|5> generating INFORMATIONAL_V1 request 3211985302 [ HASH N(PLD_MAL) ] 2017-08-29 08:40:39,Daemon.Info,10.3.1.2,Aug 29 08:40:39 charon: 14[NET] <con2000|5> sending packet: from *.*.*.254[500] to *.*.*.66[500] (76 bytes) 2017-08-29 08:40:39,Daemon.Info,10.3.1.2,Aug 29 08:40:39 charon: 14[IKE] <con2000|5> QUICK_MODE request with message ID 3438183006 processing failed 2017-08-29 08:40:47,Daemon.Info,10.3.1.2,Aug 29 08:40:47 charon: 10[NET] <con2000|5> received packet: from *.*.*.66[500] to *.*.*.254[500] (172 bytes) 2017-08-29 08:40:47,Daemon.Info,10.3.1.2,"Aug 29 08:40:47 charon: 10[ENC] <con2000|5> invalid HASH_V1 payload length, decryption failed?" 2017-08-29 08:40:47,Daemon.Info,10.3.1.2,Aug 29 08:40:47 charon: 10[ENC] <con2000|5> could not decrypt payloads 2017-08-29 08:40:47,Daemon.Info,10.3.1.2,Aug 29 08:40:47 charon: 10[IKE] <con2000|5> message parsing failed</con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5> 2017-08-29 08:43:06,Daemon.Info,10.3.1.2,Aug 29 08:43:06 charon: 05[ENC] <con2000|5> generating INFORMATIONAL_V1 request 1187213230 [ HASH N(INVAL_HASH) ] 2017-08-29 08:43:06,Daemon.Info,10.3.1.2,Aug 29 08:43:06 charon: 05[NET] <con2000|5> sending packet: from *.*.*.254[500] to *.*.*.66[500] (76 bytes) 2017-08-29 08:43:06,Daemon.Info,10.3.1.2,Aug 29 08:43:06 charon: 05[IKE] <con2000|5> QUICK_MODE request with message ID 879409864 processing failed 2017-08-29 08:43:07,Daemon.Info,10.3.1.2,Aug 29 08:43:07 charon: 05[NET] <con2000|5> received packet: from *.*.*.66[500] to *.*.*.254[500] (172 bytes) 2017-08-29 08:43:07,Daemon.Info,10.3.1.2,"Aug 29 08:43:07 charon: 05[IKE] <con2000|5> received retransmit of request with ID 2426813154, but no response to retransmit" 2017-08-29 08:43:14,Daemon.Info,10.3.1.2,Aug 29 08:43:14 charon: 05[NET] <con2000|5> received packet: from *.*.*.66[500] to *.*.*.254[500] (76 bytes) 2017-08-29 08:43:14,Daemon.Info,10.3.1.2,Aug 29 08:43:14 charon: 05[ENC] <con2000|5> parsed INFORMATIONAL_V1 request 3155446242 [ HASH D ] 2017-08-29 08:43:14,Daemon.Info,10.3.1.2,Aug 29 08:43:14 charon: 05[IKE] <con2000|5> received DELETE for ESP CHILD_SA with SPI a559aaa0 2017-08-29 08:43:14,Daemon.Info,10.3.1.2,"Aug 29 08:43:14 charon: 05[IKE] <con2000|5> CHILD_SA not found, ignored"</con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5>

found out! I have manual outbount NAT, so I needed to create a NAT rule from the IPSec subnet to the WAN interface

Sorry for the uneccesary Post,

got it to work thanks to this documentation.
https://forum.pfsense.org/index.php?topic=83321.0

It seems like in pfsense 2.4.0 I still have to set:

Add a system tunable net.inet.ipsec.filtertunnel=1 (this may not be required any longer)

Well anyways it works now

It looks like the only option there is RADIUS, not LDAP. Maybe try setting up AD NPS and a RADIUS authenticator instead.

https://doc.pfsense.org/index.php/L2TP/IPsec