If I stop every ipsec connection and restart it yes. I see phase 1 and 2. Now I can say after 48 hours the vpn connection will crash. Yesterday I got these error messages: <con2 40="">failed to establish CHILD_SA, keeping IKE_SA After every reboot I have a error message: Crash report begins.  Anonymous machine information: amd64 10.3-RELEASE-p9 FreeBSD 10.3-RELEASE-p9 #1 5fc1b19(RELENG_2_3_2): Tue Sep 27 12:26:06 CDT 2016    root@ce23-amd64-builder:/builder/pfsense-232/tmp/obj/builder/pfsense-232/tmp/FreeBSD-src/sys/pfSense Crash report details: PHP Errors: [02-Dec-2016 04:01:23 Europe/Berlin] PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/local/lib/php/20131226/suhosin.so' - /usr/local/lib/php/20131226/suhosin.so: Undefined symbol "ps_globals" in Unknown on line 0 at the moment I fixed my problem with a cron job. Every night at 4 a clock the the firewalls will reboot but this couldn`t be a solution.</con2>

OK, I solved it. All indications on this error message were to do with a mismatch between the Radius settings in pfsense and the Radius client in NPS. No amount of changing the settings worked UNTIL, I rebooted the pfsense. I got the idea from a post I found about Watchguard firewalls (go figure! bsd based?) where you have to reboot the unit to effect changes to radius settings. After rebooting and adjusting my NPS Connection and Network Policies, the VPN connects and authenticates using domain credentials. One tip for anybody with Wireless Access Points authenticating to the same NPS. Create separate policies for IKEv2  auth and use the condition 'Client Friendly Name' and set this to same value as your Distinguished Name in the phase I settings. This will differentiate it from either your default or WifI PEAP policy and use MSCHAPv2 authentication.

had this some times with SSGs if i allow them to choose between multiple proposes. it worked for me after i set up only one Proposal on both sites so the don't need to negotiate for this.

I can't offer much in the way of support but I have noticed similar issues with IOS -> pfsense.

That looks like the other side is not sending traffic. Hence my questions about what is on the other side and what the makeup of the phase 2s is. No idea what could be wrong. I would be guessing. Show everything.

This problem still exists. Pls help me.

In order to get the spare public IP on the pfsense box I am thinking of moving the outside interface into a l2 vlan. However my cisco ASA is doing the PPoE to the ISP I am sensing that the routing from this secondardy link isnt going to work. I could maybe use the pfsense box to do the PPoE couldnt I?

Indeed. But this post is not in direct line with my initial issue as the remote IP is not my router https://forum.pfsense.org/Smileys/default/wink.gif

Setting IKE SA, IKE Child SA, and Configuration Backend from Control to Diag in VPN > IPsec, Advanced should give you more information in those logs.

@AxSD: I followed this guide too but it does not seem to work for OS X: https://doc.pfsense.org/index.php/L2TP/IPsec So if I did not buy a pre-built unit from you guys, how can I mimic this exporter feature? it works fine with OS X and macOS. just make sure that you configure the floating rule mentioned at the bottom (troubleshooting)!

Thank you! That worked.

Thank you Derelict, this is ok when ASA terminates the tunnel, but why only after 30Min and not after 10Min as i set the tunnel? And is it normal that pfsense sends the keep alive?