SOLVED! After looking again I finally realised my phase 2 was 10.95.0.0/16 on one side and 10.95.00/23 on the other. That doesn't include 10.95.95.103…. So it is going to WAN instead. I'll have a second look on tcp/ip for dummies :( Sorry for the waste of time. What surprises me highly though is that a phase2 is established, even though there is a subnet mismatch. The SPD established is 10.95.00/23, likely because that fits in 10.95.0.0/16. I always understood that in case of a mismatch it would fail at all. In that case the cause was much more clear.

oh damn this was the reason: Proxmox: IMPORTANT: Enter the web GUI and go in System > Advanced > Networking and flag Disable hardware checksum offload. If you don't do it layer3 traffic from lan to wan will not work, or will be really slow (but traffic to/from the firewall will work fine: see the pf sense wiki about virtio for details https://doc.pfsense.org/index.php/VirtIO_Driver_Support )

By looking further, IPsec is generally not working well with NAT-T. I have many traffic drops. neither with multiple Phase2, Even if status shows tunnels online. Rebooting make tunnels work again for some time. I have changed NAT-T Tunnels with OpenVPN as i'm 100% pfsense on remote sites. Since it works much better. I have just trouble when rebooting server. I'll make a topic. Regards

The backup node will not try to connect any tunnels until it switches to master.

Yeah that is one second of logs that shows charon not taking action because it is waiting for another action to complete, which is perfectly normal. Going to need more logs than that. Set IKE SA, IKE Child SA, and Configuration backend logging to Diag and post them up. Sounds like an ISP might have done something.

@mikee: Hi. You are requesting to configure a dynamic endpoint. You should be able to achieve this by using 0.0.0.0 as the IP of the remote endpoint. This should allow ANY remote IP to connect. Anyway with this value the tunnel will only be able to be started from the remote side because we (the local side) do not know where to talk to. The VPN will be down until traffic from the remote side fires the VPN up. Cheers. How could I miss that, thank you very much!

Thank you, much appreciated. I'll continue to plug along.  My mobile phone has stopped connecting now for some reason, nothing in any settings has changed, just not connecting.  Rebooted PFsense, but no joy. When I have time, i'll look further into it. Thank you Willo

The logs are showing an authentication failure.

When you use certificates to validate a VPN the remote side must have a way to validate the received certificate so you must have the public key of the sender CA installed on it. Have you installed the certificate of the CA in the remote side?.

To be able for the community to know if you missed something perhaps you could first post what your actual config is…. For what you say it looks like you have a hub mode config: ALL traffic is sent to the VPN when connected. But again, post your config or we all are blind.

Try to create two phase 1 entries each one with a single phase 2. I know that the public end-point IPs are going to be the same in either system but the latest version of pfSense looks like does not bother about that. I had to split a multi-phase2 VPN connection just to be able to communicate two nets in one side of the VPN with one in the other (same as you are trying to do) just because the config of one of them was not the standard (it was a cath-all). May be that mixing tagged (VLAN) and non-tagged taffic does not make good to the latest version too.

Hi Mat. You can set the firewall rule as you like. You do not need to use an 'allow any any'. In the IPSec tab you can write the rules you want. If you want that only service 53 pass thru between net a and net b your can write a rule that only allow traffic from a:53 (or whatever) to b:53. It is the same as any other firewall rule. Regards.

Hi Ian. The peer local network is the private network(s) behind the REMOTE crypto endpoint  (thus the use of 'peer' term). You build a VPN between two endpoints the local and the peer. May bee the use of peer is not fully correct (because you build the VPN link between two peers) but the sense is that I am refering here is to the remote side of the VPN. It usually include the internal IP where the pfSense belongs to but not necessarily and it can include other networks behind that of the pfSense itself (local networks that are further than the one of the pfSense). You do not need to limit the encryption domain to the pSense net. Your phase 2 cannot be as you describe because both belong to the same network: 10.0.100.11 is included in 10.0.100.0/24 network. If local net is 10.0.100.0/24 and remote net is 10.0.200.0/24 then you can build a VPN between them. If they are the same network you need to apply source NAT translation to one of the networks. pfSense does this via the NAT/BINAT translation field. Cheers.

i had to replace the certificate chain. Old CA Name: smplyCA CN=smply-ca New CA Name: firewall.mydomain.de CN: firewall.mydomain.de Old Server Cert: Issuer: smplyCA CN: firewall New Server Cert: Issuer: firewall.mydomain.de CN: firewall.mydomain.de Then i made a mobile config profile with Apple Configurator with both Certificates as a payload, remove the old profile, installed the new one, VPN works again.