Yes, this page is a valuable resource also for other scenarios. It was the first reliable source I came across stating that the built in client from OS X should be working in this setup at all.

Thanks makes total sense. thanks for your help

No, they are not encrypted on disk. They're in the clear because they have to be for EAP to work properly with strongSwan (I misspoke and said mpd earlier, not sure where that came from…)

https://doc.pfsense.org/index.php/Why_are_some_passwords_stored_in_plaintext_in_config.xml

You have to add a P2 with the NAT in that case, otherwise it never enters enc0 to be translated and sent across.

I have the same problem. Can you share which NAT settings did you changed? Thanks

Had similiar problem (0.0.0.0 route always added) when creating VPN from Windows GUI and PowerShell helped. Thanks.

Maybe, depends on your config. By default they're both allowed outbound from LAN if that's what you mean.

Thank you for your help. Unfortunately I had to revert back to 2.2.2 because of this, as it's a production environment, but I will try again on the first occasion and let you know.

Never realized that a plug in was required in the new version.

-> cmb

Thank you for your statement. You are absolutely right that it is not the "finest" solution that WAN and LAN are on the same subnet but they are segregated via VLAN and not bridged. The WAN uses a gateway that`s why it has a static ip. This gateway is used by another network with the same subnet which is not connected to the first network with the same subnet. This needs to be changed but the reason was a connection of two networks that were not planned intentionally and the change has not been done yet.

In the "first" subnet with pfSense the IPSec clients are in the subnet 10.21.32.0/24, LAN is 10.21.30.0/24 (OpenVPN Clients in 10.21.31.0/24).

I changed the subnet for WAN (10.21.29.0/24) for testing on the weekend but the problem remains.

In the meantime I could figure out the problem. The problem only exists when MOBIKE is enabled (a new feature in 2.3 as far as I remember). If MOBIKE is disabled the DPD is sent via the WAN as intended. If MOBIKE is enabled the DPD is sent via LAN interface. So there could be a problem with the implementation of MOBIKE.

You can use /usr/local/sbin/ipsec up con <number>Loop up the number in ipsec.conf.

Use the command in cron(package)

What device on the other side do you have problems with? I use this for connections to Fortigate devices, failing with phase2 rekeying.</number>

@Donny:

Now IPSec Mobile work fine.
1. I made a record FQDN my pfsene hostname: zwolle.xxxxx.com with Public WAN IP Address from my ISP in to the domain name system (DNS): xxxxx.com
2. At local host computer windows 10, I tested PING to FQDN pfsene hostname > zwolle.xxxxx.com. it is worked.
3. Create IPSec CA certificate, the common name whatever
4. Create Sever Certificate to Common Name with FQDN pfsene hostname > zwolle.xxxxx.com. For Alternative name, I don't use Max OS, Linux and etc.
5. Setup IPSec tunnel Phase 1 My identifier to Distinguished name with "zwolle.xxxxx.com" that is the same common name on Server Certificate.
6. Another setup is the same pfsense document wiki
7. export only IPSec CA to Windows 10 Client and then installation IPSec CA to Trusted Root Certificate Authorities.
8. configuration the propertie of IPSec Connection adapter example at Security tab > IKEv2, Requir encryption and Secured password (EAP-MSCHAPv2) (encryption enable)
9. test the connect by use username and password that created on Pre-SharedKeys tab
10. finally connected and can ping to local host, copy files and etc.

Donny

Just want to be sure. the way i did it above, is it correct?

Thank you. Donny

Hello,

I have to configure vpn between pfsense and Watchguard M300, can you help me?
Have you step-by-step guide?

Thnaks!

Follow the instructions provided by kavara with IKEv2 via EAP-MSCHAPv2. IKEv2 is not only more secure than IKEv1 but much quicker in establishing a connection. Just send the certificate you downloaded from pfSense via E-Mail to your iPhone and click on it in the E-Mail to install, that`s all.