FIXED:

Thanks for the replies.

I can confirm that the reason was due to the fact that our key had a space character at the end.

This page is very helpful: https://doc.pfsense.org/index.php/IPsec_Troubleshooting

I know how automatic rules turn into manual ones. My question is what created the automatic rules in the first place (IOW, what's their root cause?), in particular since they only appeared at one site, without a difference between the sites that could explain them (to me).

Yeah I've double checked all of that, the client doesn't want to upgrade yet because he is afraid of it causing issues.  But i think that may be the only choice

@jimp:

I don't have the link handy but someone else here on the forum posted that they were able to get the powershell command to work to allow for split tunneling. That may have been on Windows 8, though, I'm not sure if it also works on 7. It's worth a shot though.

The powershell commands are only for windows 8/10. No luck on 7. It seems the only way this can work with windows 7 is.

Route all traffic over tunnel (Use Default Gateway on Remote Network selected on windows 7 client) Add Routes manually when connected to VPN Client

So in my case doesn't show me any relevant information :(

And importantly…add firewall rules...

I use Shrewsoft on 10.11.1 because I also use Windows 10 which allowed me to standardized my firewall settings and clients configurations for both platform.  Here's 10.11.1 I used as late as 12/02/2015 - http://nubisnovem.com/el-capitan-solution-mac-os-x-10-11-and-shrew-soft-vpn-client/

I added my configurations for Firewall and Client via screenshots here - https://forum.pfsense.org/index.php?topic=102825.0  - this works and is used for both Windows 7-10 and latest MAC OS X

That's a known issue with L2TP/IPsec on Windows Clients. See the warning here: https://doc.pfsense.org/index.php/L2TP/IPsec

I've move on to IKEv2, L2TP/IPsec is not a good choice these days.

Guessing that's not your mobile P1 you're looking at. The others are only applicable and configurable for mobile.

You remove the input validation to get that to work? There are reasons that config isn't permitted by the GUI. It should come up fine when traffic triggers it though.

Split this to its own topic as it's not at all related to the thread you posted in.

"received INVALID_ID_INFORMATION error notify" means your identifiers don't match. They wouldn't have before the upgrade either, racoon just (wrongly, really) didn't care. Info here:
https://doc.pfsense.org/index.php/UpgradeGuide#Stricter_Phase_1_Identifier_Validation

If you're using non-IP identifiers, you'll need to switch back to aggressive mode, and fix the P1s on both sides so the identifiers match.

By chance it is possible to use an OpenVPN tunnel between site A and Site B, and after create a Pfsense rule to send packet from site A to site C?
thank you

Got it fixed. Ive put the local nets Ingo the routing section, seperated by space and everything works now AS it should. Not sure if all traffic is Router through the ipsec Tunnel, but that isnt important for me.

Just to follow up again this Error seems to hit the main dashboard page if the IPSEC Widget is enabled and also affects the Statis->IPSEC page.

Hi,

i know that mikrotik + pfsense  is working.

Is phase1 ok ? –>yes go to phase2
is phase2 ok ?

From mikrotic forum:
When you want to make a direct IPsec tunnel between MikroTik routers you must make sure that you have an exception rule in your NAT table for traffic from the local to the remote network which says "accept" (before your general rule that says "masquerade" or "src-nat").
When you do not do that, the router will mistakenly NAT the traffic before it puts it into the tunnel, and no communication will be possible.

I used on phase 1
Encryption algorithm AES 256
Hash algorithm

|
SHA1
DH key group 2(1024)
Lifetime 86400

phase2
Protocol ESP
Encryption algorithms AES (auto)
Hash algorithms SHA1
PFS key group 2(1024)
Lifetime 1800

With other setting i ran in trouble.

regards
max |