Thank jimp for your speed reply. I will go to contact the another company for up this value.

OpenVPN is pretty much never faster than IPsec. Not sure where you would have read otherwise. It can, however, be more flexible. If raw performance was not the #1 requirement, I would lean toward OpenVPN SSL/TLS so I could centrally-manage things.

@warmadmax: error in the log is here : Jul 27 20:50:32 charon 07[IKE] <5> found 2 matching configs, but none allows XAuthInitPSK authentication using Main Mode did you add the user login? can see you've added the pre-shared key Wow, I forgot to add permissions to the users to allow it to dial in. I also changed the phase 1 to Main instead of aggressive. IPSEC Xauth PSK works like a charm now. [image: kQ3ls1E.png]

I found it, had to set keep alive in SonicWall.

After some analisys I see that in one client the Handshake use TLSv1.2 in all other use SSL. I check all settings but machine win its quite similar…

Personally, I prefer OpenVPN for that role, especially when working with multiple architectures. However, IKEv2 can work fine as well. You'll get better performance out of IKEv2, but if load is not a concern, OpenVPN can be easier and more flexible. Both are secure, so long as you use secure settings. There are articles on the Doc wiki for both setups.

Isn`t mixed traffic (IPv4 and IPv6) supported with IKEv2 or is it just mixed traffic for phase 1 and phase 2?

Hi, create a new revocation list from System->CertManager->CertificateRevocation add the certificates that you do not want to be active any more assign the new revocation list to the vpn server in my case VPN->OpenVPN->Servers You can easily choose your revocation list from the combobox Peer Certificate Revocation list. do not need to restart or refresh the change is immediately bye Domenico

I did not. Silly me. Thanks for the help!

Answer Use a new 10.6.23.0/24 subnet for this site. Then add a new P2 at the main site for 192.168.2.0/24 to 10.6.23.0/24. At the remote site add a new P2 for 10.5.35.0/24 to 192.168.2.0/24 and add the NAT address field to 10.6.23.0/24. The 1:1 NAT setting is no longer required as route-based IPsec is not supported in FreeBSD 10(pfSense 2.3.4) hopefully in 2.5. Thanks to pfSense support that gave me this valuable information. https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html

Hi, nevermind, I found the issue, some time ago I installed BIND, I think its conflicting. I stopped BIND and it works now. thanks.