I think i have found the issue.

Default in IPSEC / Advanced Settings the option Configure Unique IDs as is set to yes

changed this to no and restarted the VPN and now traffic is working again. previously with Configure Unique IDs as set to yes the only way to get traffic flowing again would be to reboot the PFsense box.

I just updateted my NTP settings.  Disable time sync in the VM (pfsense 2.3) and rebooted

little update… did some modifications

/etc/inc/vpn.inc

1042 if (count($rightsourceips)) { 1043 $rightsourceip = "\trightsourceip = " . implode(',', $rightsourceips) . "\n"; 1044 } 1045 } + + if (isset($ph1ent['avmvirtualip'])) { + $rightsourceip = "\trightsourceip = {$ph1ent['avmvirtualip']}\n"; + } 1046  1047 if (!empty($ph1ent['caref'])) { 1048 $ca = lookup_ca($ph1ent['caref']); 1049 if ($ca) {

/conf/config.xml (somewhere in phase1)

<avmvirtualip>123.123.123.123</avmvirtualip>

(of course, "avmvirtualip" can be replaced with anything)

I think, this should be an input field in phase 1 of IPsec. Something like "Force virtualip for remote"… If devs agree, I could write a little patch to include it. Perhaps an advanced text input for more individual configs?
For me, this just needs to work the next 2 weeks. But it might be helpful to others?

Time to upgrade all users to Windows 10 :-)  works great on there with the powershell command!

No changes I'm aware of in that area. Can you try some other variations of your "complex" key? Perhaps it's just one certain type of symbol in it that does not work?

Just changed the IP Range to different network and it's working :) (192.168.2.0/24)

Thanks for sharing. That would figure as I do have VPN working on my Lumia 930 and that's configured using MDM and going through a Windows Server as the VPN server. Configuring it manually for pfSense lets it connect, but no data flows through. I'll provide feedback on this issue through the insider hub as the product group does read that stuff.

-edit-

Giving it another thought though, how can it be that if the UI was broken, it does connect? I don't see the connection between a broken UI and it connecting, but not sending data through. Sounds more like pfSense and Windows 10 Phone not cooperating well in sharing network config. Nevertheless will share in Windows Feedback App.

Looks like you were right. They did something, probably finally enabled 1:1 NAT, and now it magically works. Thanks

@julianbros:

Is it only the PfSense http/https service which is broken?

Can you confirm by calling other urls from different sites?

I had the same problem which was solved by enable MSS clamping on VPN traffic.

MSS clamping has solved it for the complete network, thank you!

Thanks a lot then. This solves my problem.

Thank you jimp,

setting net.isr.dispatch=deferred solved my problem and should work until the hardware will be upgraded next year.

Sorry for this post.

@Thread creator: how did you solve the problem? I'm running in exactly the same problem!

As cmb said before: You have to setup the corresponding phase 2 on both sites.

Site 0 config:
local subnet: 192.168.111.0/24
Remote subnet: 192.168.2.0/24

Site 1 config:
local subnet: 192.168.2.0/24
remote subnet: 192.168.111.0/24

Another point may be, that your phase 2 on your mobile phase 1 of Site0 is configured wrong. Try there as local subnet 0.0.0.0/0.

Thank you for your confirmation!

2.3.1-RELEASE-p5(amd64)

On the link jimp posted:

I tried the manual fix for my GRE Tunnel over IPSEC and it allowed the traffic through.  Tried the Automatic Fix and it didn't work, so will have to do the manual fix for all the traffic.

I see ticket 4479 talks about the issue:

https://redmine.pfsense.org/issues/4479

So trying to dig into this a bit further:

While creating rules to allow the traffic I ended up creating both rules on the Floating tab.

Rule 1:
GRE Interface, direction out, Source was the local network, destination was the remote network, any TCP flags, and Sloppy State

Rule 2:
Local Network interface,  direction in, source was the Remote network, destination was the local network, any TCP Flags, and Sloppy State

That is all up to the client on Windows. Nothing pfSense or the server can do.

Not sure I quite follow how you've got that setup. "IKEv2 server listens on one of the OpenVPN connections" as in you have to connect to IKEv2 through OpenVPN?

Are the port forwards also on OpenVPN?

What is your IPsec mobile client network? OpenVPN tunnel network? Any overlaps there?

It sounds almost like when you disconnect that the firewall's routing table is losing its default gateway or something along those lines.

Visit /status.php on the firewall and download the file when it works, and then again when it breaks, and compare the various files looking for what changed.