I have updated all sites now with the latest version. Unfortunately some ipsec tunnels are operational others are not. The strange thing is that after re-starting the ipSec service a few times I lost some connections that were active and can not get them back without any changes in the configuration. Very strange.

That's all up to the client. They will either send all or send none. You can setup custom routing with powershell commands on the client side to nudge additional networks over, the server can't influence that.

Well the reason I ask is because on another thread I discovered I couldn't nat the gre tunnel to one of my spare up addresses behind my ASA. So I thought I had better double check here.

At the end we worked this around and changed the MTU of the target machines (SSH servers) as we can afford the MTU change there (differently than on pfsense).

https://redmine.pfsense.org/issues/6937

FYI the powershell for windows 10 adds it to the pkb (phone book) file for the vpn not to the computer itself so once you add it you can deploy the pbk out with group policy if you wish.

Problem solved. In the remote branch there was another device (Sophos XG105) connected to the internet with a buggy 4G connection… This device was setup with the same parameter (IPsec initiator) than the pfSense box and was, sometimes (no idea when/why), connecting the main XG appliance. The message in the log (main XG appliance) is: "System received a P2 connexion request whose Localsubnet-Remotesubnet configuration conflicts with that of an already established connexion "XXXX-1". System is terminate connection "XXXX-1" to honor the incoming request." That message leaded me to thing there was an issue on the pfSense box, trying to start several tunnels. It was (obviously) not the case, it was another device... Once that other device is shutdown, problem is solved.

Thanks again, your explanation makes a lot of sense and matches up against my symptoms and config. I've been working a lot with MikroTiks which require manually setting block rules. When I didn't see the block rules in the pfSense GUI, I was just filling them in. That's my excuse and I'm sticking with it! Thanks again.

Any ideas? Prior to the update, raccoon didn't lead with the %any in the PSK file.

But you are not able to route OSPF over the IPSEC P2 Tunnel are you?

Looks like when you corrected it and saved again (and reloaded the rule set) it started working. Logging has no bearing on what traffic is or is not passed.

Can I bump this topic to the top and check that I am in the correct forum?

i have done something similar before, except i created the phase1 and phase2 as if they were completely normal using the full /24 lan subnet, but then on the IPSec firewall rules tab, i did not create an any:any rule.  i just created a rule for the specific IP address(s) that were allowed to access the tunnel.

I don't know if this helps you but we are doing ipsec redundancy with a CARP Cluster on each side and we bind the IPSEC Tunnel to the CARP VIP so if one system goes down the other system automatically kicks in and rebuilds the Tunnel. This obviously works only if you own continous IP Subnets on WAN Interfaces (we are using a dual LWL WAN Connection from Provider A which also provides the Copper SDSL Backup Connection to our datacenter over Provider B) so they move ove the IP Network from their side to the Backup connection). Not shure if this is possible on your side. Hope thhis helps anyways.

Actually it is working in the constellation that i have a direct connection to another pfSense Appliance and a GRE Tunnel over WAN to the same Appliance both connections are configured within a Gateway Group, i got them up running and failing over as long as i do not activate the IPSec Transport Tunnel. If i activate the IPSec Tunnel traffic gets blocked somewhere but i do not see where. If i tear the tunnel down everything is working as expected. Thought about some kind of a triangle route but the Tranport IPSec Tunnel is similar to a L2 Connection so i do not get why it should interfere with my routing… I am really banging my head about this... Thought about using pfSense as a large Scale Hub and Spoke WAN to connect serveral branch offices together but this would be a PITA if this simple GRE / IPSEC connection is so difficult to get up and running.

@ljorgensen: Is it a rekeying issue (the lifetime of both P1 and P2s are 86400 seconds)? Dug around in the logs and found some tidbits. This is where it starts to go wrong: Dec  2 16:00:50 10.12.4.21 charon: 11[IKE] <con2000|3>initiator did not reauthenticate as requested Dec  2 16:00:50 10.12.4.21 charon: 11[IKE] <con2000|3>reauthenticating IKE_SA con2000[3] actively</con2000|3></con2000|3> After that the ASA end seems to try to reestablish P2s: Dec  2 16:00:50 10.12.4.21 charon: 11[NET] <con2000|4>received packet: from 130.225.247.66[500] to 130.226.230.200[500] (438 bytes Dec  2 16:00:50 10.12.4.21 charon: 11[ENC] <con2000|4>parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) V ] Dec  2 16:00:50 10.12.4.21 charon: 11[IKE] <con2000|4>received Cisco Delete Reason vendor ID Dec  2 16:00:50 10.12.4.21 charon: 11[IKE] <con2000|4>received Cisco Copyright (c) 2009 vendor ID Dec  2 16:00:50 10.12.4.21 charon: 11[IKE] <con2000|4>received FRAGMENTATION vendor ID</con2000|4></con2000|4></con2000|4></con2000|4></con2000|4> These keep coming forever, incrementing the number after the pipe, e.g. "<con2000|3657>" until everything stops working and I restart the IPsec services. Looks like this: Dec  5 09:29:49 10.12.4.21 charon: 03[NET] <con2000|4906>received packet: from 130.225.247.66[500] to 130.226.230.200[500] (438 by Dec  5 09:29:49 10.12.4.21 charon: 03[ENC] <con2000|4906>parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) V Dec  5 09:29:49 10.12.4.21 charon: 03[IKE] <con2000|4906>received Cisco Delete Reason vendor ID Dec  5 09:29:49 10.12.4.21 charon: 03[IKE] <con2000|4906>received Cisco Copyright (c) 2009 vendor ID Dec  5 09:29:49 10.12.4.21 charon: 03[IKE] <con2000|4906>received FRAGMENTATION vendor ID</con2000|4906></con2000|4906></con2000|4906></con2000|4906></con2000|4906> At that point I also get a lot of these: Dec  5 08:50:01 10.12.4.21 charon: 12[KNL] <con2000|4843>unable to query SAD entry with SPI 9c8aeb8c: No such file or directory (2) Dec  5 08:50:01 10.12.4.21 charon: 12[KNL] <con2000|4843>unable to query SAD entry with SPI 6b3a845f: No such file or directory (2)</con2000|4843></con2000|4843> ```</con2000|3657>

Anyone? Ideas maybe?