No, you can't give any fixed/predictable address to clients with mobile IPsec at this time. It's simple to do with OpenVPN though.

@TheSec: In my opinion you are already using the best option available. Because i think that if you would try to consolidate this one a few hosts that the firewall rules alone will give you nightmares  to never sleep from. Side from alle the other config elements you have to manage on that box. Also how would you handel downtime. Then you would have a get permission from more then one client. I think it who'll be better to have 75 or more pfsense boxes running then a few with a lot of connections. because you have to keep things separated, what beter way then you are already doing. If you really want to switch things up have a look at docker / ansible or puppet. Make a template that you just have to put in the unknown var's and the rest gets build automatically. then you can also test if new versions of pfSense break stuff ;) Hope it helps ;) TheSec. Not the answer I was hoping for, but you bring up some really good points.  It is definitely easier to troubleshoot and to do maintenance when I'm working on one client it doesn't affect anyone else.  And my rules are fairly simple per client.

Thank you for your reply. For site-site VPNs, I definitely see the value of DPD.  Disabling DPD for client-site VPNs is an interesting thought, but that alone doesn't sound like it will address what I am hoping to achieve through GUI configuration only.

I would find this option useful as well, to be able to set connection inactivity configuration.

Hi together! Sorry for reactivating this topic, but actually I'm running in the same issue as ronicontora. I know this post is old, but I'm wondering a bit that this is still the case in the actual release. As far as I know there is no option in the BIND section to map a specific IP or Virtual IP for Zone transfers. It is possible to map an interface for incoming requests but it seems that it's still not using his own LAN interface to connect to other BIND servers. Is there still no possibility or am I totaly wrong? My setup is nearly the same as on the initial post, just with other network ranges which are connected over IPSEC tunnel. Sorry but my english is not the best atm. Thanks in advance for all hints. Best regards

I have Same problem, with same config. there is connection but no traffic. Is there anybody who solved this problem?

Also, just noticed I put 4 cents a month.  It's 4cents an hour.  I'm editing my original post.

That worked! Thanks :)

Should this be moved to 2.4 development snapshots forum (is this regression thing? as it seems that people are using IKEv2 for site-to-site 24/7 tunnels, so this should work unless i have made a mistale somwhere (that i cannot find))? Added https://redmine.pfsense.org/issues/7439

Ok thanks. I'll give it a whirl!

I've done some more testing with this and I'm a bit confused by what I am seeing.  When I ping 192.168.1.20 from the pfsense console on 192.168.1.10, the pings go through and I see the traffic has been encapsulated when I do a packet capture.  If I try to ping from a host behind the firewall, I see that the ICMP traffic has not been encapsulated.  A traffic capture on the peer shows the ping, however, the reply does not show as being transmitted.  The firewall log shows that the echo request came in on the WAN, not IPsec. I believe the issue here is that the pings are not being encapsulated and if I can get that worked, GRE will also come alive.  I tried dumping the pfsense built IPsec.conf for a simpler file, however, the traffic is still not flowing as expected. It seems like this is something that should just work, so I'm a bit baffled that it is not.  Does anyone else have transport mode working in this manner?

I Solved looking at and playing with this things  : IN IPSEC - MOBILE CLIENT TAB ->Network configuration for Virtual Address Pool , using a totally diferent subnet …. For example, if your LAN subnet is 192.168.0.X  then use 10.1.1.0 or wharever... IN Windows 10… set "Use default gateway on remote NETWORK" look at this on network connections... Properties ... ip v4 tcp/ip  properties... advanced...  IP Settings Tab Hope this helps…. I spend a lot of time with this... Best Regards...

Got answer for Apple (for iOS not macOS ticket, Q.E.D. :)). For IKEv2 on the iOS device to use the configured DH groups in Child Rekey, you will need to set the Enable Perfect Forward Secrecy option in the Apple Configurator application. Had not checked that, facepalm. For test have set Group 1 for 20 min rekeying, Group 2 for 10 min rekeying. On connect phase 1: charon 05[CFG] <31> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384 charon 05[CFG] <31> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384 charon 05[CFG] <31> received proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384 On connect phase 2: charon 11[CFG] <con1|37> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ charon 11[CFG] <con1|37> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ charon 11[CFG] <con1|37> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ</con1|37></con1|37></con1|37> On rekey phase 2: charon 10[CFG] <con1|32> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ charon 10[CFG] <con1|32> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ charon 10[CFG] <con1|32> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_384/NO_EXT_SEQ charon 10[CFG] <con1|32> proposal matches charon 10[CFG] <con1|32> selecting proposal: charon 10[ENC] <con1|32> parsed CREATE_CHILD_SA request 2 [ N(REKEY_SA) SA No KE TSi TSr ]</con1|32></con1|32></con1|32></con1|32></con1|32></con1|32> On rekey phase 1: charon 15[CFG] <con1|31> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384 charon 15[CFG] <con1|31> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384 charon 15[CFG] <con1|31> received proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384 charon 15[CFG] <con1|31> proposal matches charon 15[CFG] <con1|31> selecting proposal: charon 15[IKE] <con1|31> IKE_SA con1[32] state change: CREATED => CONNECTING charon 15[IKE] <con1|31> 192.168.10.146 is initiating an IKE_SA</con1|31></con1|31></con1|31></con1|31></con1|31></con1|31></con1|31> Seems to be rekeying now. ``` ./iperf3 -c IPADDR -P 4 -f m -d -t 22 -O 2 -i 1 However charon 10[CFG] <con1|37>lease 172.23.152.1 by 'ikemaster' went offline charon 10[IKE] <con1|37>IKE_SA con1[37] state change: DELETING => DESTROYING charon 10[IKE] <con1|37>IKE_SA deleted charon 10[ENC] <con1|37>parsed INFORMATIONAL response 2 [ ] charon 10[NET] <con1|37>received packet: from 192.168.10.146[4500] to 192.168.10.100[4500] (88 bytes) charon 10[NET] <con1|37>sending packet: from 192.168.10.100[4500] to 192.168.10.146[4500] (88 bytes) charon 10[ENC] <con1|37>generating INFORMATIONAL request 2 [ D ] charon 10[IKE] <con1|37>sending DELETE for IKE_SA con1[37] charon 10[IKE] <con1|37>IKE_SA con1[37] state change: ESTABLISHED => DELETING charon 10[IKE] <con1|37>deleting IKE_SA con1[37] between 192.168.10.100[XXXX]…192.168.10.146[ikemaster] charon 10[IKE] <con1|37>activating IKE_DELETE task charon 10[IKE] <con1|37>activating new tasks charon 10[IKE] <con1|37>queueing IKE_DELETE task</con1|37></con1|37></con1|37></con1|37></con1|37></con1|37></con1|37></con1|37></con1|37></con1|37></con1|37></con1|37></con1|37> it seems that pfSense itself queues and executes IKE_DELETE and it happens both on macOS and MSW.