Config on my side - openwrt was made by me - i prefer to make networks as separate SA because managing is for me better.

Split connection is ok - after this works well but in status is strange. - attached status.

The main connection is as disconnected but appear new without name and this new have SA .

screen.png
screen.png_thumb

As I mentioned above, I have completely removed and re-added the configuration at both ends.

Thanks, through the process of trying to figure out how to get a connection to AWS, we installed the OpenBGP package then retried the wizard.  Viola, it worked!

We saw no errors anywhere else in the interface and the system is very stable.  This router is our main gateway for the company, so resetting would be a major PIA.

So, while we're working now after installing that package.  I don't know if that package is required for the AWS Wizard to work or if the process to install that package corrected the pkg-utils.inc issue.

No, there is no mechanism in L2TP for this – It's 100% up to the client. You can probably script some routing to happen on connect on the client side, but the firewall (or any L2TP server) can't send routes.

It is a bug? I dont think so. FreeBSD kernel just drop packet with bad checksum. This is problem with NAT.
So, maybe will be ignoring checksum nice to have feature, but in this case you must manualy put registry key in to windows :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
AssumeUDPEncapsulationContextOnSendRule dword:2

And you cant be sure, that will working another devices (iOS, android with specific version, MacOSX etc.).

So, I surrende and I will have public IP directly on pfSense.

Max

PS: I think, that many people use pfSense for IPSEC (IPSEC working very nice behind NAT) and many people know NAT problems, so I think that many users use public IP on pfSense

hello Jimp,

You were right,

i bought some new hardware using intel network cards. It has been up for 2 days with no problem.

I hope it stays that way…... it was sooooo frustrating.

Thank you very much

Make sure your firewall rule on the IPsec tab allows all protocols (or at least both TCP and UDP) to a destination of */any, and also check your outbound NAT to be sure the source network used by the mobile clients is covered.

Sadly that did not work.

I seem to still show the IPv6 address that T-Mobile is providing. I found a site that shows a IPv4 address and it is not my VPN servers IP address either.

I can see the IPv4 addressed machines on my local network when the VPN connects.

I will say I am puzzled.

after the passing all screen capture
i restart both side and it is working
please i wuold like that administrator of this forum lock this part who need help same subject in the future
thanks derelict.

If you just want IPsec, you can find that in /var/etc/ipsec/ipsec.conf in the format used by strongSwan

The only way to accomplish that is to have a Phase 2 entry that looks like:

Local Network: Address, <server ip="" address="">Remote Network: 0.0.0.0/0

And the other end would have the opposite settings. Then anything/everything to/from that server that passes through the firewall will be sent over the VPN

I have to say though, hosting a game server on the other side of a VPN is going to be awful for latency. That isn't likely to give you good performance, though I suppose that depends on the game.</server>

Solved!

Have forgot to change the authentication-mode to eap-radius  :P.
After the change and a reboot it works now!!!!  ;D

best regards

I figured this out by purchasing a 2220 and copying the config from the wizard. Unfortunately, 2.3 apparently doesn't work with IPSec and BGP so this is a no-go.

Hi, I am having the same issue except changing the DNS resolver doesn't help at all.  I am running 2.3.2 and in order for our VPN clients to resolve LAN DNS is by manually adding DNS to their network interface (wifi or eth)… Adding DNS to the VPN connection didn't help.

I have tried all suggestions I found in the forums, but no setting on the pfSense would work.

Is yours still working?

AES-GCM in a child SA provides authenticated encryption and therefore does not require a separate authentication/hash step (like SHA1/SHA256) and will therefore perform better especially with AES-NI enabled.

I personally believe that AES-128 is perfectly acceptable in almost all circumstances but you will not likely notice a difference between AES-128 and AES-256 so why not…

So, yes, I like the settings I used in this example. That's why I used them. :)

@Tramii:

@mattbodman:

Ok, so I have a mobile tunnel setup which works great, except that even though the DNS settings issued by the IPSec tunnel are correct, no local hosts will resolve.

I just had this issue yesterday.  I set up an IPsec VPN and everything worked fine except DNS resolution.  I could ping things by IP but not by name.  Pulled my hair out for hours trying to resolve it.  Finally, I rebooted the pfSense box out of frustration.  That worked.  No idea why, but it did.  I replicated the issue just to verify.  Deleted the VPN setup and recreated it.  Had the same DNS issue.  Rebooting the router fixed it.  Works great now.  No idea why, but maybe it will work for you too?

Thanks for posting; I know this is an older thread but this was the answer I needed. Maybe it would have worked to restart the DNS Resolver as well, but rebooting the router fixed this issue for me.