That is great, thanks for the help

Now iam using ipsec with android 6 (SAMSUNG) BUT WITH IKEV1 not IKev2 WITH older version it's not work.

https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN

tl:dr - I misread the guide. Hope this helps someone else. This is what I think is relevant from the logs. Jun 5 13:47:04 charon 10[ENC] <con1|364>generating CREATE_CHILD_SA response 29 [ N(NO_PROP) ] Jun 5 13:47:04 charon 10[IKE] <con1|364>failed to establish CHILD_SA, keeping IKE_SA Jun 5 13:47:04 charon 10[IKE] <con1|364>no acceptable proposal found Jun 5 13:47:04 charon 10[CFG] <con1|364>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Jun 5 13:47:04 charon 10[CFG] <con1|364>received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ Jun 5 13:47:04 charon 10[ENC] <con1|364>parsed CREATE_CHILD_SA request 29 [ SA No TSi TSr ]</con1|364></con1|364></con1|364></con1|364></con1|364></con1|364> Being new to this I took a guess that I'd configured MODP_1024 on pfSense but my phone didn't support this: pfSense: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Phone: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ I only had two values in my setup that looked like they were 1024 and realised I had read the guide wrong and enabled or left at default PFS. Disabling it seems to have resolved this.

Yes, that looks right.  Also Remember to add firewall rules allowing the traffic over the IPSEC link. Using tunnel mode on IPSEC will do the routing between the pfSense boxes.  You will just have to push the routes to the clients.  I haven't dealt with mobile clients and IPSEC in a few years, but I would guess if you try passing the /16 for routing it would work now. Then thinking about it for a bit: Also you will want to check the Phase 2 of the VPN connection to the mobile clients that the Local network represents all of your sites. so might have to change that to a /16 as well.

We have a similar issue trying to NAT incoming traffic from an AWS IPSec VPN static tunnel, out a WAN connection (see attached image and more details below). We even used the AWS VPC VPN Wizard that comes with the paid version of pfSense. Even worked with pfSense support (Netgate), but they couldn't resolve this issue for us I think there may be an issue with BSD NATing traffic from IPSec with the way that AWS VPC VPN. AWS changed their IPSec VPC VPN connection settings last year, and we started to get drop-out due to more that Phase2 entries or SAs. We removed our Phase2 SAs and got the tunnels working using routing on the AWS -> VPC ->  VPN Connection ->  "Static Routes". This fixed things for a bit. Recently AWS changed their IPSec VPC VPN connection settings again, and this caused us some real problems with pfSense. We found strange traffic when capturing packets from pfSense, or capturing packets from a device outside the WAN interface of our pfSense box. We were seeing replies to AWS IPSec NATed traffic, coming back from the Internet, that were addressed to the WAN address AND the private non-NATed IP address of the AWS system. This meant that pfSense was somehow mangling the packet and sending the private IP address out the WAN. Netgate claimed it was the fault of the system on the Internet trying to communicate with to the AWS private IP. There would be no other way for the Internet system to know the private IP of the AWS system. It seems pfSense is unable to properly NAT traffic coming from an AWS VPC static IPsec tunnel.  

Up. Any ideas? What devs can say?

I found the way: /usr/local/sbin/ipsec up <connection name="">and the connection name I can take it from this file: /var/etc/ipsec/ipsec.conf which is automatically generated. Problem now is that after creating a new IpSec tunnel via Command Line, ipsec.conf file is NOT getting updated and I cannot start my IpSec tunnel from a command. Thoughts? I already tried with these commands: /usr/local/sbin/ipsec update /usr/local/sbin/ipsec reload</connection>

Thanks, that explains it!

Hello, Im working in strongswan in a debian distribution. with this file.conf config setup conn c5domain type=tunnel         left=81.25.126.250         leftsubnet=10.200.1.0/24         leftid=82.125.124.251         right=c5.domain.es         rightid=219.129.126.161         rightsubnet=192.168.220.0/24         installpolicy = yes #Encriptacio         dpdaction = restart         dpddelay = 10s         dpdtimeout = 60s         #keyingtries=0         esp=3des-sha1-modp1024         ike=3des-sha1-modp1024         authby=secret         keyexchange=ikev2         rekey=yes         reauth=yes         forceencaps=no         mobike=no         fragmentation=yes         #lifetime ikelifetime=28800s         lifetime=28800s         auto=route I'm test and work fine. but i'm configure in pfsense not working. In linux version strongswan is US5.2.1/K3.16.0 In FreeBSD strongSwan U5.5.1/K10.3 Can you help me? Next week i'm test edit files manualy.

@kapara: what are your clients running?  I use ipsec  (Not L2TP) and all clients have no issues.  Flawless. Kapara, I use windows 10. I setup L2TP/IPSEC using this link https://doc.pfsense.org/index.php/L2TP/IPsec As you mentioned we can use just IPSec for Remote Access On Pfsesne. Can you send me the Instructions for it ?

You cannot bind any services running on the firewall to a proxy arp vip. https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses You can probably tell OpenVPN to listen on localhost and port forward to it like you described. Not sure about IPsec.

I tried iPerf, FTP, SSH, SMB, HTTP. I said 60 mbps but I don't why I said that because I can't really pass through 25-30mbps. I tried with and without AES-INI and it worst without. Since my first post each end can transfert up to 1,5Gbps from end to end trought each Pfsense (NATed servers) without VPN (HTTP, FTP, SSH (bit slower) ).

Hi I still have this issue and I'm not sure who to debug it. Can anyone share some advice on how to resolve this. Thanks