Use check box in P1:  Enable this to split connection entries with multiple phase 2 configurations. Required for remote endpoints that support only a single traffic selector per child SA.

This is possible with both DrayTek and pfSense, however I assume by now you have resolved the issue!

push :X

I'm really not a VoIP guru, but whenever I have this behavior (calls dropped after a time-out), it is when there is a wrong NAT behavior somewhere.  The PBX side would be receiving packets where the source IP at network & transport layer doesn't match the IP declared at the SIP application layer Could it be that it was working before because your PBX setting was "easy" and therefore you were not noticing this NAT issue? Can you check on the PBX to see the source IPs of the stations registering, and check the tables for the registered extensions, and see if there is a match?

I've done OpenVPN to NordVPN (I've even played around with 4 tunnels and load-balancing on the 4 tunnels) But haven't been able to configure IKEv2 towards NordVPN.  I read the guides you mentionned, but from what I read, MSCHAP can be configured for an IKEv2 server on pfSense, not an IKEv2 client on pfSense.  The guide on IKEv2 that you linked to is written for a IKEv2 server on pfSense, and remote clients like IOS or Android. Here's what I did: download root certificate from NordVPN convert to PEM format import as a CA in System->Certificate Go to VPN->IPSec and setup a sit to site tunnel. However, in the authentication box, either I see "Shared PSK" or "RSA" I have tried both settings, selecting the Root NordVPN cert for the remote in the "RSA" mode, or using my NordVPN password as the pre-shared-key when in "PSK" more When I go to the status page, and click "connect", it goes back to the "disconnected" state almost instantly.  When I check the logs, I keep getting an authentication failed reply from the NordVPN server. I might be missing something, though  :o

My goal is the network from Site A (10.1.1.x/24) able to reach the network at Site C (10.3.3.x/24) regardless the traffic from A will be NAT to site B and will carry the IP Site B (10.2.2.x/24) instead. Also the same for Site C whereby it will carry the Site B IP in order to communicate with network on Site A. Site A (10.1.1.x/24)<–---------> Site B (10.2.2.x/24) <-----------> Site C (10.3.3.x/24)                               IPSEC & NAT                              IPSEC & NAT Probably the above illustration perhaps may give you some idea. Thank you in advance.

Had a look at the file /usr/local/etc/strongswan.conf using grep "28675" strongswan.conf | hexdump -C and it looks like it just puts a newline at the end of the line so can't imagine this is a pfsense bug. 00000040  4c 45 41 56 45 4d 45 48  45 52 45 0a              |LEAVEMEHERE.| 0000004c Any suggestions to try and work out where the bug is ?

Because we don't want to use certificates on clients like iOS. Authentication should be based on Windows AD only. When we need to use certificates, we can also use OpenVPN which we are testing at the moment. But also there I got stuck, cause I can't reach devices in LAN, but I created a post in the OpenVPN category for that case.