@shpokas:

found 2 matching configs, but none allows XAuthInitPSK authentication

From my experience this means that there could be a problem with the peer identifiers. Strongswan is very strict about identifiers.

Stefan

Ok, after hours on end I found the problem: SHA256 in P2 doesn't work. As soon as I changed it to SHA1 (or MD5, but I will not use that!) everything started working perfectly. Can't test SHA384/512 because the client doesn't support these.

The phenomenon was: netstat -sp esp showed all "packets dropped; bad ilen". Hope this helps, but it would be interesting to find out why SHA256 is not working.

Stefan

I've managed to get this working, even though I'm not gonna use it anymore. I don't really have a dynamic IP, but a failover situation, in which it might swap between two different static IPs.

So, I'm using a previously existent, publicly trusted cert from my company. It has no IPs set as SAN (only a wildcard as DNS name), and it has client/server authentication in its EKU.

I've done so many things to make it work, that I might be forgetting something important, but I remember that importing the server cert into the "computer->personal" (don't ask me why) folder was key to make it work. Probably there's a better way of doing this. One thing though: I've been doing preliminary tests by switching the IP resolution directly in my hosts file. Didn't get to the point of using DDNS.

Hi,

I just wanted to add some more info about my config :

the two pfSense servers were upgraded from version 2.2 when I get the connection "Established X seconds…" (but no trafic) I also had "Bytes-in" and "Packets-in" to 0 on one side (pfSense1) and "Bytes-out" and "Packets-out" to 0 on the other side (pfSense1), while there was data for the opposite packets-in/out

Thanks for your help,
Hakim

I'm deeply sorry, but I can't understand a word you are saying. Could you please rewrite the post?

Also, I am hooking up to a Edge router on the other side. It seems that edgeOS supports VTI (Virtual Tunnel Interface) for IPSEC. When will pFsense support "routed IPSEC"? If it is routed, I believe we can treat links as gateways and do load balance and failover correct?

sorry, thank you very much.

More than two weekends looking for solution.

Thanks again

Right, there is no connection from client to client. Anything other than a /32 would imply the host could talk to other hosts on that network directly, which isn't possible in any mobile IPsec context.

@moterpent:

Probably not the problem, but thought I would mention the following.  I'm pretty sure this was fixed in 2.3.1, but some people that upgraded to 2.3 from 2.2 with ipsec configs, had an issue where more than one instance of ipsec/strongswan/charon was running.  I had the problem.

That's definitely fixed in 2.3.1 and newer. For those who hit that, it impacted new configs exactly the same as upgraded ones.

@cmb:

Your certificate likely doesn't have the proper EKU for Windows to recognize it.

I've confirmed that the cert does have the "server authentication" EKU (1.3.6.1.5.5.7.3.1)
Isn't it the right one?

@cmb:

The references to importing certificates on the client is for CA certs, not server certs, where a self-signed cert is used.

Yes, I do understand that. I imported the server cert instead because it was quicker, for testing purposes. The point is, I would like to cut off the need to import anything into a computer's "personal" cert folder, since the cert is already publicy trusted.

So what about this situation:

Site A:

Using a (Interface with) subnet with 192.168.1.0/24 different network. (Not part of VPN tunnel)

IPSEC P2 Local Subnet is 172.20.20.0/24

Site B:

LAN is 192.168.1.0/24

P2 local is using this 192.168.1.0/24 subnet.

What would be the proper way to use BINAT or is it not needed?  Will the IPSEC tunnel know to direct traffic for the 172.20.20.0/24 going to 192.168.1.0/24 through the tunnel even though there is annother interface using 192.168.1.0/24?

i have no 1:1 nat or port forward and the outbound nat rules are set to auto…

mhh so i have no idea why vpn is going down after some time and wont be reconnect :(

case solved by using OpenVPN
https://forum.pfsense.org/index.php?topic=112696.0

I have the same problem.

Could somebody help?

As test effects i setted L2TP VPN to accept all traffic.

Thank you