The initial connection comes up fine. Just after the 24h disconnect the tunnel will not be reestablished and I get the same log entries. It seems the ISP cut the line all 24h once, like here in Germany and the IPSec connection is not coming up proper again. Confusing but maybe helpful: If I use another IPSec connection from my Smartphone (with VPNCilla, inside LAN) to the Fritz!Box then the pfsense tunnel comes up simultaneously  :o If there will be then a packet flow through the tunnel it will be perhaps revive the older IPSec VPN tunnel also again and its up then. Did you try out to get from your PC a link or data flow through the tunnel by opening the briwser and start connecting some devices on the other side of the VOPN tunnel, or perhaps another program running on a device in the LAN?

@jimp: How many Phase 2 entries do you have? IIRC AWS will only allow so many P2 entries (3, I think) and if you establish another one after that, they will disconnect one of the previous entries in exactly that fashion. Hi, I had since found the issue and that was in fact the problem. These symptoms are buried in this Amazon tech note https://aws.amazon.com/premiumsupport/knowledge-center/vpn-connection-instability/. Really difficult to track down because you don't have access to any logs on the AWS side… Cheerio, Harry.

Basic network config on the hosts in question the next most likely. Missing or wrong default gateway, wrong subnet mask.

You're at least a version or two behind. Upgrade, then if you're still having an issue, post your IPsec logs again and what you're trying to configure.

@Garrett: Just found a workaround by appending another bogus domain name in my split-dns list from: "mydomain.com" to "mydomain.com bogus.com". That seemed to do the trick. That'll work around it. The root issue, which was a client-side problem, was fixed in OS X El Capitan for sure, and I believe a newer iOS version than this thread originally referenced as well.

For local clients and EAP-MSCHAPv2, they go on the PSK tab, with entries set for EAP, as described in the documentation: https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2#Create_Client_Pre-Shared_Keys

Hi, Alternative you Need two ip addresses at colocation, setup transport IPSec connections and gre Tunnels over it. Sorry for spellings Tablet with wrong keyboard Best regards Thomas

Config can differ as initiator vs. responder. UDP 500 traffic could be blocked in that direction but not the opposite. Regardless you need to look at the Juniper side and see why it's not replying.

The Juniper is first not replying, and second, sending a delete. No way to tell anything useful from that side's logs in that case, check the logs on the Juniper side.

I am trying to do the same but confused as to your explanation.  Any screenshots would be great!

2.3 is not affected :)

Seems like pfSense auto adds a NAT rule (default "Automatic outbound" is selected in Outbound "Firewall: NAT: Outbound"). I changed Outbound to "Hybrid outbound", and added an exception "Do not NAT" with the subnet used for L2TP; see attachment. Image is manipulated to mask my real IP/mask, instead using 8.8.8.0/29 as the example in my previous post. [image: outbound.png_thumb] [image: outbound.png]

IPsec tunnels need NSA/GCHQ approval before coming functional, I had that several times in the past. openVPN the apparently crack on-the-fly, so they "work" out of the box… ;-)

Sorry, my bad. I did this several times but the "branches" were in fact OpenVPN tunnels, and they were connected through an IPsec tunnel between the main sites. On the basis of how all this work, I don't think you can do what I mentioned earlier (although I never tried) Probably your best bet is to use some dynamic DNS so you can establish a direct Ph1 between the branches, since you'll be able to ditch the 0.0.0.0/0 requirement

The plot thickens a bit more and I get more and more out of my depth of field. I have toggled the following value: net.inet.ip.redirect = 0 (default 1) and communication between the Diskstation and Azure has been restored. Have I set myself up for more problems by altering the above flag? Thanks in advance!