Thanks for your reply jimp. I will start a new thread.

Just to check, did you try this bit? https://doc.pfsense.org/index.php/L2TP/IPsec#Firewall_traffic_blocked_outbound I had a very similar problem and the sloppy state bit fixed the problem for me. It's not that a specific firewall rule is blocking something, it's the state handling that interferes on the L2TP virtual interface.

After helpful discussion on the irc - thank you rawtaz - the problem could be solved. Generally, I have to add an additional static route for the remote network. When I create this route, I could deactivate complete NAT handling and it works as expected.

Fixed. While doing a trace I realized that when a packet would leave a VM in site 10 it wouldn't make it past the core switch which does intervlan routing. I went digging into it and found out that when I was setting up the VM for site 30, interface vlan 1 on the switch received an IP from the pfSense LAN interface DHCP. So the core switch though that 10.10.30.0/24 was directly connected to VLAN1 instead of following the standard routing table. After flushing the IP on int vlan 1 everything started to work as expected.

Finally got it to work. The trick was to set 'Local Network' in the Phase 2 settings to 'Network', Address 0.0.0.0/0. I think the dropdown portion of this setting changed since 2.1.x. Traffic is now forced through tunnel. Still no banner, but that's a detail.

Glad to help. That should give you at least something to show the other side.

Did you allow ICMP in the IPSec FW rule?

Try to enable "Disable Firewall Scrub" in SystemAdvancedFirewall & NAT

many many thanks for your replay  :) ;)

Use DNS.

That is great, thanks for the help

Now iam using ipsec with android 6 (SAMSUNG) BUT WITH IKEV1 not IKev2 WITH older version it's not work.

https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN

tl:dr - I misread the guide. Hope this helps someone else. This is what I think is relevant from the logs. Jun 5 13:47:04 charon 10[ENC] <con1|364>generating CREATE_CHILD_SA response 29 [ N(NO_PROP) ] Jun 5 13:47:04 charon 10[IKE] <con1|364>failed to establish CHILD_SA, keeping IKE_SA Jun 5 13:47:04 charon 10[IKE] <con1|364>no acceptable proposal found Jun 5 13:47:04 charon 10[CFG] <con1|364>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Jun 5 13:47:04 charon 10[CFG] <con1|364>received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ Jun 5 13:47:04 charon 10[ENC] <con1|364>parsed CREATE_CHILD_SA request 29 [ SA No TSi TSr ]</con1|364></con1|364></con1|364></con1|364></con1|364></con1|364> Being new to this I took a guess that I'd configured MODP_1024 on pfSense but my phone didn't support this: pfSense: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Phone: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ I only had two values in my setup that looked like they were 1024 and realised I had read the guide wrong and enabled or left at default PFS. Disabling it seems to have resolved this.

Yes, that looks right.  Also Remember to add firewall rules allowing the traffic over the IPSEC link. Using tunnel mode on IPSEC will do the routing between the pfSense boxes.  You will just have to push the routes to the clients.  I haven't dealt with mobile clients and IPSEC in a few years, but I would guess if you try passing the /16 for routing it would work now. Then thinking about it for a bit: Also you will want to check the Phase 2 of the VPN connection to the mobile clients that the Local network represents all of your sites. so might have to change that to a /16 as well.