It is a bug? I dont think so. FreeBSD kernel just drop packet with bad checksum. This is problem with NAT. So, maybe will be ignoring checksum nice to have feature, but in this case you must manualy put registry key in to windows : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent AssumeUDPEncapsulationContextOnSendRule dword:2 And you cant be sure, that will working another devices (iOS, android with specific version, MacOSX etc.). So, I surrende and I will have public IP directly on pfSense. Max PS: I think, that many people use pfSense for IPSEC (IPSEC working very nice behind NAT) and many people know NAT problems, so I think that many users use public IP on pfSense

hello Jimp, You were right, i bought some new hardware using intel network cards. It has been up for 2 days with no problem. I hope it stays that way…... it was sooooo frustrating. Thank you very much

Make sure your firewall rule on the IPsec tab allows all protocols (or at least both TCP and UDP) to a destination of */any, and also check your outbound NAT to be sure the source network used by the mobile clients is covered.

Sadly that did not work. I seem to still show the IPv6 address that T-Mobile is providing. I found a site that shows a IPv4 address and it is not my VPN servers IP address either. I can see the IPv4 addressed machines on my local network when the VPN connects. I will say I am puzzled.

after the passing all screen capture i restart both side and it is working please i wuold like that administrator of this forum lock this part who need help same subject in the future thanks derelict.

If you just want IPsec, you can find that in /var/etc/ipsec/ipsec.conf in the format used by strongSwan

The only way to accomplish that is to have a Phase 2 entry that looks like: Local Network: Address, <server ip="" address="">Remote Network: 0.0.0.0/0 And the other end would have the opposite settings. Then anything/everything to/from that server that passes through the firewall will be sent over the VPN I have to say though, hosting a game server on the other side of a VPN is going to be awful for latency. That isn't likely to give you good performance, though I suppose that depends on the game.</server>

Solved! Have forgot to change the authentication-mode to eap-radius  :P. After the change and a reboot it works now!!!!  ;D best regards

I figured this out by purchasing a 2220 and copying the config from the wizard. Unfortunately, 2.3 apparently doesn't work with IPSec and BGP so this is a no-go.

Hi, I am having the same issue except changing the DNS resolver doesn't help at all.  I am running 2.3.2 and in order for our VPN clients to resolve LAN DNS is by manually adding DNS to their network interface (wifi or eth)… Adding DNS to the VPN connection didn't help. I have tried all suggestions I found in the forums, but no setting on the pfSense would work. Is yours still working?

AES-GCM in a child SA provides authenticated encryption and therefore does not require a separate authentication/hash step (like SHA1/SHA256) and will therefore perform better especially with AES-NI enabled. I personally believe that AES-128 is perfectly acceptable in almost all circumstances but you will not likely notice a difference between AES-128 and AES-256 so why not… So, yes, I like the settings I used in this example. That's why I used them. :)

@Tramii: @mattbodman: Ok, so I have a mobile tunnel setup which works great, except that even though the DNS settings issued by the IPSec tunnel are correct, no local hosts will resolve. I just had this issue yesterday.  I set up an IPsec VPN and everything worked fine except DNS resolution.  I could ping things by IP but not by name.  Pulled my hair out for hours trying to resolve it.  Finally, I rebooted the pfSense box out of frustration.  That worked.  No idea why, but it did.  I replicated the issue just to verify.  Deleted the VPN setup and recreated it.  Had the same DNS issue.  Rebooting the router fixed it.  Works great now.  No idea why, but maybe it will work for you too? Thanks for posting; I know this is an older thread but this was the answer I needed. Maybe it would have worked to restart the DNS Resolver as well, but rebooting the router fixed this issue for me.

It still works the same way, except there is a bypass for the LAN network itself. Otherwise it still matches based on the contents of the SPD table (Status > IPsec, SPD tab). If a connection matches the SPD table entries, it's put into IPsec. There is no "routing" in the classical sense.

I think you can forget about me, it looks like it's a problem with our network and not pfSense. Sorry for wasting your time, I feel embarrassed for not working this out before manically posting here.

Aaaaand I had the firewall rule wrong. I was only allowing TCP across IPSec and then wondering why I couldn't ping anything or do DNS lookups .  ::) Thanks for helping me check my work.