Could you elaborate on your question? Trust me, I've been fed up about ten trillion times too ( ;) ) but - HAProxy aside (which I don't use nor know about), I have W7 and Android too, and it is doable, even easy, if only the documentation were a little bit clearer. I can try to help you.

After some digging, I would say this is rather a NAT/routing issue than IPSec. Installing one more PfSense lets call it PF2 and the original PF1. Settings as follows: PF1(LAN): 10.0.1.1 PF1(OPT1): 10.0.2.1 PF1(WAN): x.x.x.x PF2(LAN): 10.0.1.2 PF2(WAN): 10.0.2.2 (gw: 10.0.2.1) (the OPT1 on PF1) On PF1 adding static route to Remote subnet (192.168.0.0/16) with gw to 10.0.1.2 (PF2). I'am able to access remote subnet from LAN on PF1. So accessing remote lan from PF1 LAN route is: PF1(LAN) –> PF2(LAN) --> PF2(WAN) --> PF1(OPT1) --> IpSec tunnel Everything is working as expected but doesn't seem right, is there a way to achieve the same functionality without involving PF2 ? I was also able to make it work with an OpenVPN server with /28 subnet, I could NAT on IpSec phase2 so OVPN clients access remote LAN, but not from LAN directly. Best regards.

Well, you need the reciprocal phase 2 entry.

Today we had another disruption preceded by a lot of these log entries: 2017-08-29 08:29:55,Daemon.Info,10.3.1.2,Aug 29 08:29:55 charon: 13[ENC] <con2000|5> generating INFORMATIONAL_V1 request 817940652 [ HASH N(INVAL_HASH) ] 2017-08-29 08:29:55,Daemon.Info,10.3.1.2,Aug 29 08:29:55 charon: 13[NET] <con2000|5> sending packet: from *.*.*.254[500] to *.*.*.66[500] (76 bytes) 2017-08-29 08:29:55,Daemon.Info,10.3.1.2,Aug 29 08:29:55 charon: 13[IKE] <con2000|5> QUICK_MODE request with message ID 1339927066 processing failed 2017-08-29 08:29:59,Daemon.Info,10.3.1.2,Aug 29 08:29:59 charon: 13[NET] <con2000|5> received packet: from *.*.*.66[500] to *.*.*.254[500] (172 bytes) 2017-08-29 08:29:59,Daemon.Info,10.3.1.2,"Aug 29 08:29:59 charon: 13[IKE] <con2000|5> received retransmit of request with ID 2091090257, but no response to retransmit" 2017-08-29 08:30:03,Daemon.Info,10.3.1.2,Aug 29 08:30:03 charon: 13[NET] <con2000|5> received packet: from *.*.*.66[500] to *.*.*.254[500] (172 bytes) 2017-08-29 08:30:03,Daemon.Info,10.3.1.2,Aug 29 08:30:03 charon: 13[ENC] <con2000|5> parsed QUICK_MODE request 1339927066 [ HASH SA No ID ID ] 2017-08-29 08:30:03,Daemon.Info,10.3.1.2,Aug 29 08:30:03 charon: 13[ENC] <con2000|5> received HASH payload does not match 2017-08-29 08:30:03,Daemon.Info,10.3.1.2,Aug 29 08:30:03 charon: 13[IKE] <con2000|5> integrity check failed</con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5> Other log entries that looked suspicious are: 2017-08-29 08:40:39,Daemon.Info,10.3.1.2,Aug 29 08:40:39 charon: 14[ENC] <con2000|5> generating INFORMATIONAL_V1 request 3211985302 [ HASH N(PLD_MAL) ] 2017-08-29 08:40:39,Daemon.Info,10.3.1.2,Aug 29 08:40:39 charon: 14[NET] <con2000|5> sending packet: from *.*.*.254[500] to *.*.*.66[500] (76 bytes) 2017-08-29 08:40:39,Daemon.Info,10.3.1.2,Aug 29 08:40:39 charon: 14[IKE] <con2000|5> QUICK_MODE request with message ID 3438183006 processing failed 2017-08-29 08:40:47,Daemon.Info,10.3.1.2,Aug 29 08:40:47 charon: 10[NET] <con2000|5> received packet: from *.*.*.66[500] to *.*.*.254[500] (172 bytes) 2017-08-29 08:40:47,Daemon.Info,10.3.1.2,"Aug 29 08:40:47 charon: 10[ENC] <con2000|5> invalid HASH_V1 payload length, decryption failed?" 2017-08-29 08:40:47,Daemon.Info,10.3.1.2,Aug 29 08:40:47 charon: 10[ENC] <con2000|5> could not decrypt payloads 2017-08-29 08:40:47,Daemon.Info,10.3.1.2,Aug 29 08:40:47 charon: 10[IKE] <con2000|5> message parsing failed</con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5> 2017-08-29 08:43:06,Daemon.Info,10.3.1.2,Aug 29 08:43:06 charon: 05[ENC] <con2000|5> generating INFORMATIONAL_V1 request 1187213230 [ HASH N(INVAL_HASH) ] 2017-08-29 08:43:06,Daemon.Info,10.3.1.2,Aug 29 08:43:06 charon: 05[NET] <con2000|5> sending packet: from *.*.*.254[500] to *.*.*.66[500] (76 bytes) 2017-08-29 08:43:06,Daemon.Info,10.3.1.2,Aug 29 08:43:06 charon: 05[IKE] <con2000|5> QUICK_MODE request with message ID 879409864 processing failed 2017-08-29 08:43:07,Daemon.Info,10.3.1.2,Aug 29 08:43:07 charon: 05[NET] <con2000|5> received packet: from *.*.*.66[500] to *.*.*.254[500] (172 bytes) 2017-08-29 08:43:07,Daemon.Info,10.3.1.2,"Aug 29 08:43:07 charon: 05[IKE] <con2000|5> received retransmit of request with ID 2426813154, but no response to retransmit" 2017-08-29 08:43:14,Daemon.Info,10.3.1.2,Aug 29 08:43:14 charon: 05[NET] <con2000|5> received packet: from *.*.*.66[500] to *.*.*.254[500] (76 bytes) 2017-08-29 08:43:14,Daemon.Info,10.3.1.2,Aug 29 08:43:14 charon: 05[ENC] <con2000|5> parsed INFORMATIONAL_V1 request 3155446242 [ HASH D ] 2017-08-29 08:43:14,Daemon.Info,10.3.1.2,Aug 29 08:43:14 charon: 05[IKE] <con2000|5> received DELETE for ESP CHILD_SA with SPI a559aaa0 2017-08-29 08:43:14,Daemon.Info,10.3.1.2,"Aug 29 08:43:14 charon: 05[IKE] <con2000|5> CHILD_SA not found, ignored"</con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5></con2000|5>

found out! I have manual outbount NAT, so I needed to create a NAT rule from the IPSec subnet to the WAN interface

Sorry for the uneccesary Post, got it to work thanks to this documentation. https://forum.pfsense.org/index.php?topic=83321.0 It seems like in pfsense 2.4.0 I still have to set: Add a system tunable net.inet.ipsec.filtertunnel=1 (this may not be required any longer) Well anyways it works now

It looks like the only option there is RADIUS, not LDAP. Maybe try setting up AD NPS and a RADIUS authenticator instead. https://doc.pfsense.org/index.php/L2TP/IPsec

LOL Pfsense does funny things.

LOL, I dont know what it was, but I recreated it and connected just fine. I can browse the internet and access remote local data. Perfect. It's knocking out a VPN, gotta see why this is happening.

I just tried this, not working lol :(

I have a sophos utm VM in my lab. IPsec between it and pfSense work fine.

I'm now able to create a tunnel between my PFSense, Macs and Iphone with IOS 10. Thanks to https://blog.andregasser.net/en/how-to-configure-ipsec-vpn-on-pfsense-for-use-with-iphone-ipad-android-windows-and-linux/ I'm still not able to access the nework behind the firewall. If I cannot find any answer with the search engin, I'm going to create a new subject.

Hi, thx for this reply. Unfortunately à changed the lifetime P1 et P2 to the values you suggested, but I've the same message. The Auto Update is in process. Let see …