How come I can do that on Fortinet for instance? I just create my IPSEC VPN with the 10.0.44.128/25 P2 and a VIP 10.0.44.129, make it point to an IP from any local network and it works. Is this behaviour non-standard? I guess I could use OpenVPN instead, right?

Confirmed, just pushed a fix https://redmine.pfsense.org/issues/7258

DNS should work if you allow UDP. Not sure what your issue was, but at least it works now.

Negative, pinging/attempting to access other sites by IP address fails as well so doesn't seem to be a DNS issue.

I wanted to add that when you do the IPSEC configuration with Shrewsoft, the first time you connect there is no routing or can't access internal network.  What I had to do was to change the VIRTUAL ADDRESS POOL IP Address to something different for the clients to properly connect.  Aftter change, I was then able to reconnect and ping / access internal resources. It seems like a bug, but after applying IPSEC / Shrewsoft VPN, this is the method that worked everytime. [image: VPN_IPsec_Mobile_Clients.png]

NM - Deleted and re-wrote same phase 1 and matching config is found.

The client should have logs.  I dunno about iOS, but in macOS you should see stuff in Console.app.

Well, I finally have my VPN mostly working. It seems the answers to #1 is yes and yes. But I'd still like to know about #2.  I have two 'A' records for my public IP and using one of them for my certificate allows the VPN to work, but using the other it doesn't.  I don't understand that.

Problem found by my self. It is unbelievable but the ipsec process was a zombi. I can not restart the service via webgui even on the command shell with the php skript. I needed to kill the process and start it again via webgui. Now the vpn ist up and running.

Looks like this one BTW: https://answers.microsoft.com/en-us/windows/forum/windows_10-networking/vpn-disconnect-after-1-minute-of-inactivity/3f21310c-d1db-4816-81b1-670fb2c614b2

Thank you for your answer. Unluckily we were already using the User Manager - IPSEC XAuth VPN method as described in you link. So the problem still exsits. You are absolutly right. Shrew is one of the best IPSEC Clients out there. It seems that my problem comes from the change of racoon to strongswan. It is strange that my config worked for month and suddenly broke down. We were also standardized in IPSEC, but my only chance was to enable OpenVPN as a workaround. Our Site2Sites are still on IPSEC. But our mobile part in our main office changed to OpenVPN and routes traffic in every branch office via IPSEC. Till now this is working very well, but I will go back to IPSEC once I have a solution for my problem.

Sorry for my late response. I had some unexpected, personal leave. 1. MSS clamping I tried a range of values from 1000 to 1500 –> no meaningful change, i.e. low and fluctuating speeds 2. Phase 2 encryption I tried all values of AES-GCM again, no meaningful change, i.e. low and fluctuating speeds 3. Turning off hash algorithms Do you mean in Phase 2 only? Hash algorithms cannot be turned off, so I chose SHA1 4. powerd this is set to Enabled and hi-adaptive in all contexts I will have another connection available in a few days will be able to test using virtual endpoints, using the community edition, instead, running server-class CPUs thanks for your assistance.

I see IKEv2 came out in 2005, which is before when Android first appeared.  I'm surprised that they'd go with something that's already obsolete. However, I was wondering if anyone had configuration examples to get it going, as I don't seem to be able to.  I have set up IPSec 'VPNs previously, on Adtran routers, but pfSense seems completely different.

Solved. After some more debugging and digging into pfSense sources I found out that for IKEv2 in some cases the Split connections option in P1 is required. After enabling this option I was able to access the tunnel from the OpenVPN subnet!