OK, so if I specify a Group Name in iOS, the request becomes aggressive.  It still fails at:

May 10 12:06:15 charon: 06[IKE] <15> found 1 matching config, but none allows XAuthInitPSK authentication using Aggressive Mode
May 10 12:06:15 charon: 06[CFG] <15> looking for XAuthInitPSK peer configs matching 192.168.XX.XXX…70.196.XXX.XXX[VPN]

From VPN: IPsec: Edit Phase 1: Mobile Client - Phase 1 Proposal:

Authentication method - Mutual PSK & Xauth
Negotiation mode - Aggressive
My Identifier - My IP Address
Peer Identifier - Distinguished Name - VPN
Pre-Shared Key - XXX

What am I missing?

I think I figured it out…..very stupid, of course. It seems that if I ping the remote LAN subnet, the tunnel will come back up by itself. I suppose I could set the auto ping IP to the remote LAN IP and that should keep it up.

I unfortunately don't have control over the other end (and the admin's that do are very incompetent) so I can't change to IKEv2 on the remote end.

Would enabling 'Make before Break' have any effect?

Were you able to find a command to enable/disable IPsec tunnels from the CLI? I would also like to know if there is a way to do this, because I would like to implement an IPsec multi-WAN failover.

That won't work.  I need to be able to set up pfsense as a client but using the ipsec instead of openvpn settings.

PFS keygroup 2 (1024bit) is rumored to be possible to break with NSA like budget. The PFS keygroup 5 should be fine as of now, higher PFS groups get really slow. For the symetric ciphers like 3DES and AES128 there is no real world break known, but as AES128 should be faster than 3DES you should use AES. The hash does not matter as it is used for integrity check to my knowledge, at least if you are not using preshared key which you should not do.

Regards

Andreas

No, unfortunately. Bought an ERLite-3 instead, lived with ~250 Mbps for a bit, and then decided that VPN is not worth all this trouble.

Hi !

Have you solved it ?

Reading your post I remembered I had problems with ShrewSoft client.
What fixed it for me was the setting
NAT Traversal: Force  ( in mobile clients / advanced )

LP, Miro

Never mind I am blind haha ;D

This issue has not reappeared in the last few days, and it used to occur at least once a day.

The only major change to my configurations is to improve the stability of the PPPoE link to the Internet. I was using a USB Ethernet adapter for my PPPoE link and the link was quite unstable, typical PPPoE uptimes were a few hours max. I have since changed to a VLAN based solution to get my PPPoE traffic out of the pfsense environment. The result of this is that the PPPoE is now significantly more stable and at the same time the IPsec phase1 without phase 2 problem appears to have gone away.

As well as being more stable the time to reconnect when the PPPoE link does fail has increased. With the USB Ethernet adapter the PPPoE Daemon would receive a TERM signal, shutdown, and then immediately reconnect. Now all the PPPoE outages look more like ISP issues and are loss of LCP echo, followed by a few attempts to reconnect. So the PPPoE link is down for a much longer time and does not instantly reconnect.

So at this stage it looks like the IPsec loss of phase 2 may relate to the manner/frequency of link failure on the Internet link.

I have left the IPsec links in IKEv1 and if the issue occurs again then I will hopefully be able to supply the appropriate logging information.

Tim

How many phase 2 entries do you have?

Make sure you're not running into https://forum.pfsense.org/index.php?topic=106260.msg592087#msg592087.

Cheerio, Harry.

another error have been able to login with shrew vpn client soft but now no more access.

error showing when login is negotiation timout occurred

i have uninstall and reinstall still the same error.

kindly help.

I had the same problem when upgrading from 2.1.5 to 2.2.6(chnging hardware and restoring the config etc.), in the end i needed to re-specify what interface the local endpoint of the phase1 entry, seems to have reset itself to the interface and not the virtual IP that was originally used.

Hope this helps someone else.

Read the warning note at the top of the wiki doc you linked – that won't work for Windows, for the exact case you have encountered.

The only way I got it to work was to:

Set up one pfSense gateway to connect to the internet via pppoe set up another pfSense as an IPSEC initiator and set up the IPSEC connection. Box (1) is my default gateway to the internet I route all traffic from (2) to (1) so that IPSEC box can route outwards to establish the IPSEC connection I set up a customer route from (1) to (2) for any traffic going to the remote site.

PM me if you want more details.

That's the nature of how it works. Traffic matching the SPD is intercepted and sent across the IPsec if there is a matching SA. If the IPsec can't come up, it gets dropped.

IPsec transport mode with a gif or GRE tunnel and a dynamic routing protocol is how failover is accomplished. Or policy routing though that's usually more complicated since you have to make sure routing on both ends is updated appropriately.