Aliases won't work there. You will either have to make each combination of P2 or, if the subnets are next to each other and line up nicely, summarize them with a larger mask. If you can provide some more detail about the networks (even just the last 2-3 octets), perhaps we can offer some suggestions about how to craft the P2s

Thanks a lot for your help !

@j@svg: Logs: Log entries Dec 16 11:51:20 charon: 16[NET] <bypasslan|1> sending packet: from  216.x.x.x[4500] to  215.x.x.x[61443] (68 bytes) Dec 16 11:51:20 charon: 16[ENC] <bypasslan|1> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Dec 16 11:51:20 charon: 16[IKE] <bypasslan|1> peer supports MOBIKE Dec 16 11:51:20 charon: 16[IKE] <bypasslan|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Dec 16 11:51:20 charon: 16[CFG] <bypasslan|1> no alternative config found Dec 16 11:51:20 charon: 16[IKE] <bypasslan|1> peer requested EAP, config inacceptable Dec 16 11:51:20 charon: 16[CFG] <bypasslan|1> selected peer config 'bypasslan' Dec 16 11:51:20 charon: 16[CFG] <1> looking for peer configs matching  216.x.x.x[ 216.x.x.x]... 215.x.x.x[192.168.125.2] Dec 16 11:51:20 charon: 16[ENC] <1> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] Dec 16 11:51:20 charon: 16[NET] <1> received packet: from  215.x.x.x[61443] to  216.x.x.x[4500] (316 bytes) Dec 16 11:51:20 charon: 16[NET] <1> sending packet: from  216.x.x.x[500] to  215.x.x.x[30930] (353 bytes) Dec 16 11:51:20 charon: 16[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Dec 16 11:51:20 charon: 16[IKE] <1> sending cert request for "C=US, ST=Missouri, L=Kansas City, O=Corp, OU=Information Technology, CN=svg-ec-ca, E=info@xxx.com" Dec 16 11:51:20 charon: 16[IKE] <1> sending cert request for "C=US, ST=Missouri, L=Kansas City, O=Corp, OU=Information Technology, CN=svg-eap-ec-ca, E=info@xxx.com" Dec 16 11:51:20 charon: 16[IKE] <1> remote host is behind NAT Dec 16 11:51:20 charon: 16[IKE] <1>  215.x.x.x is initiating an IKE_SA Dec 16 11:51:20 charon: 16[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]</bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1> Any help much appreciated! I've encountered this before in my testing although I can't remember specifically what I did for this particular condition. Take a look at the Phase 1 and Phase 2 settings in this doc: https://forum.pfsense.org/index.php?topic=127457.0

See this posting for a new updated IKEv2 EAP-MSCHAP document that works with BOTH Windows 10 AND OSX. https://forum.pfsense.org/index.php?topic=127457.0 It combines some of the stuff in this thread in one place. Hope it helps.

Hi guys I have a similar problem connection is active but traffic exchange impossible how you want to configure PfSense for traffic exchange ??? thx

I fixed this by switching the remote Peer ID to something other than Key ID; I used Distinguished Name and set it to the dynamic DNS hostname for the remote site

Hello, I'm a newbie on pfSense but I had the same question ! I mock up a platform for a client and when I practice an interruption, the VPN IPSec don't go back up. Do you find a solution ? Regards, W.

Hello Stefani, I have the same issue as you have seen in https://forum.pfsense.org/index.php?topic=126332.0 My question, did you resoved the issue? For me it is not really clear, wheter you can connect from internal LAN now? Thanks, Perino

@jecrabtree: What rules are assigned in IPSEC on both sides? On the Meraki side I just put in the PSK and the subnet that would be on this side.  This tunnel worked to a previous Meraki box and to a watchguard box. I matched up the IPSec settings and my SPDs look good.  Just no traffic flows.

@zMaliz: Why doesn't this stop the connections ? Because when configuring a VPN, hidden firewall rules are automatically added to allow the corresponding traffic in. I would assume that you allow mobile clients in as then the source address of the above mentioned hidden rules is set to any. You could disable these VPN rules from being automatically created (System, Advanced, Firewall and NAT, Disable Auto-added VPN rules) but then you'd have to manually add your own rules on the WAN interface to allow the legitimate IPsec traffic.

I've got the same issue: https://forum.pfsense.org/index.php?topic=123650.0 So far no solution found.

That is a sweet solution, thank you! I searched the pfSense Book earlier for Egress filtering, thinking I could filter on outbound from an interface someplace, but didn't find it.  Didn't realize you could specify direction on Floating rules.  Thanks again!

I have the same no ike error when I configured for carp ipsec mschapv2 for win8/10 as seen in https://www.youtube.com/watch?v=xV1vEl4XAnw but did not changed WAN IP for WAN CARP IP