This system has been upgraded since 2.1.X.

Like I said I was able to get it to fail like you are seeing, but simply re-configuring the iOS device made it work with no changes to the server. Something's not right. Not sure where it is.

I wouldn't completely reinstall if you haven't blown out the IPsec server and reconfigured it.

@Reiner030:

To use also routing from pfSense host to AWS (and not only from LANs) there is additional Outbound NAT rule needed from Any to VPC network with mask onto IPSec interface - otherwise the firewall tries to route over WAN interface directly.

Perhaps this can help you too ?

(I hope it's okay to dig this post back up)

Are you saying to create an outbound NAT rule on the IPsec interface with the source as "any" and the destination as the VPC network? Because I did this and when I try to traceroute from pfSense to a VPC IP it tries sending it out to my WAN (PPPOE) gateway. My setup follows these instructions: https://www.seattleit.net/blog/pfsense-ipsec-vpn-gateway-amazon-vpc-bgp-routing/ - I also tried https://fattylewis.com/amazon-aws-vpc-vpn-with-bgp-an-pfsense/ (my AWS support rep suggested that) and I had the same issue. I also had tried it with static routing but still, no juice.

You don't want to set it to auto in that case, it sounds like it's configured for IKEv1 on the other end, which means any attempts you make on your side with auto will fail. Set it to IKEv1.

Got this mostly fixed.

The client side VPN must be created through the Network and Sharing Center (the legacy interface way), not through the Network & Internet - VPN settings page (new, Modern, interface). It works when you do it the 1st way but doesn't work when you do it the 2nd way.

If you're connecting to clients on internal subnets through the VPN, you have to update the firewall rules on those clients. The IPSec clients are coming from a new, different subnet and the firewalls running on internal machines need to know that new subnet is trusted.

I still don't have it talking to the internet through the VPN, which is frustrating, but it isn't required for my application so won't prevent our 2.3.x upgrade.

https://doc.pfsense.org/index.php/IPsec_Troubleshooting

Set the log options as described there and see if you can initiate from the Fortigate side. Even if it doesn't work, the logs will be much more useful in that direction.

Odds are you have a P1 or P2 mismatch

@cmb:

It hasn't been widely broken in any 2.3x release version.

The PFKEY issue in the linked thread isn't common, but is fixed in 2.3.1 (and 2.3.1_1), and had manual fix instructions there since very shortly after 2.3.0 release.

@cmb:

I'm not aware of any IPsec issues in 2.3.1_1.

And here I was thinking it was definitely still in a broken state. I am on 2.3.1_1..
What is the fix for the PKEY issue? Turning up the sysctl values? I have done that but still get the same errors. I shouldn't need to even do that since the fix is in 2.3.1_1, right?

[2.3.1-RELEASE][admin@fwslc.alignbi.local]/root: cat /etc/version 2.3.1-RELEASE [2.3.1-RELEASE][admin@fwslc.alignbi.local]/root: sysctl -a | grep net | grep raw net.inet.raw.recvspace: 131072 net.inet.raw.maxdgram: 131072 net.raw.recvspace: 1048576 net.raw.sendspace: 2097152 Jun 21 18:05:34 fwslc charon: 08[KNL] <con1000|109>unable to delete SAD entry with SPI ca856e2c Jun 21 18:05:34 fwslc charon: 08[KNL] <con1000|109>deleting SPI allocation SA failed Jun 21 18:05:34 fwslc charon: 08[KNL] <con1000|109>error sending to PF_KEY socket: No buffer space available Jun 21 18:05:34 fwslc charon: 08[KNL] <con1000|109>unable to add SAD entry with SPI ca856e2c Jun 21 18:05:34 fwslc charon: 08[KNL] <con1000|109>error sending to PF_KEY socket: No buffer space available Jun 21 18:05:34 fwslc charon: 08[KNL] <con1000|109>unable to add SAD entry with SPI d7596024 Jun 21 18:05:34 fwslc charon: 08[IKE] <con1000|109>unable to install inbound and outbound IPsec SA (SAD) in kernel Jun 21 18:05:34 fwslc charon: 08[KNL] <con1000|109>error sending to PF_KEY socket: No buffer space available</con1000|109></con1000|109></con1000|109></con1000|109></con1000|109></con1000|109></con1000|109></con1000|109>

My three tunnels remain down. They were up before the upgrade. One of the tunnels connects to AWS and uses BGP. I have turned on the Unity plugin. Not sure what else there is to do.

anybody?

The Feedback forums are for user feedback related to the use and operation of the SMF forum software.  If you need assistance with IPSec, I would suggest the =https://forum.pfsense.org/index.php?board=16.0IPSec forum.

The combo isn't a problem, it just can't be accelerated to the extent that AES-GCM can be. Refusing AES-CBC with SHA isn't a solution to that.

GOT IT, the problem was in front of my eyes on the Mikrotik. Under IP > IPSec on the tab Policies, the tab Action of my policy had a default proposal instead of the proposal that i configured. Changed and now is everything perfect again

:D :D :D

Apart from the bug with 2.3 and IPSEC + OpenBGP, my tunnels all work fine with Juniper. I terminate them on MX routers (using MS-MIC-16G).

What is the config you are using on both ends?

I was setting up my first VPN today with pfsense 2.3 and had a similar problem (I could access any machine on the LAN, but I couldn't route anything to the Internet).  I turned on the Unity plug-in and things appeared to be working on the client, however, I suspect they weren’t working correctly.  If you look at Status->IPSec and then “show child SA entries”, on the right side you will see Bytes-In and Bytes-Out.  When I turned on the Unity Plug-in, Bytes-Out was zero as long as I tried to access anything on the Internet.  It only increased when I accessed a machine on the LAN.  My guess is the Unity Plugin directed the client to route Internet traffic locally instead of over the VPN.  Since I’m a complete noob with IPSec I don’t know that my conclusion is correct at all.  However, I’m guessing something wasn’t right…

After playing around and trying a lot of different setting I found a setting that seems to work, but I don’t know what it’s really doing (I saw this in someone else's configuration).  In the Phase 2 settings there is an option for “Local Network”.  If I set this to “Network” of 0.0.0.0/0 the VPN appears to work, and the Bytes-Out increment on the Status page (after turning off the Unity Plugin).

Again, I’m a complete noob with IPSec so I’m not sure what I did by setting the Local Network to 0.0.0.0/0.  Could someone that understands this better explain?  So far the only way the VPN appears to work (for me) is by either setting the Unity Plug-In or by setting the Local Network to 0.0.0.0/0.  I’m not sure which is better, or if I should turn off both options and keep looking at other settings.

@jimp:

Where exactly is 10.64.224.177 defined? In an IPsec Phase 2 entry?

Yes phase 2 entry in ipsec.

Just wanted to circle back on this issue, I've since upgraded to pfSense 2.3.1 on the same hardware config. I've tried switching to SHA-256 hash option for my Phase 2 and can now say that it works. I'm not sure what in particular has changed in strongswan between 2.2.6 and 2.3.1 that is allowing for it to now work but it does.