A good dynamic DNS provider will give you a TTL of no more than 30 seconds, and usually only 10 seconds or so, and updates are reflected immediately so the largest delay possible is the TTL. A public IP change is pretty disruptive already, so generally ~10 seconds pretty acceptable (where it isn't, you should be paying for something with a static IP). If it's the typical forced daily PPPoE reconnect, that can be scheduled at a time where disruption is minimized. Then using a better dynamic DNS provider would take care of the worst of the remainder. There isn't an easy way to update unbound like you're wanting. Its TTLs default to an hour, so doing that would actually make it worse.

@jimp: IKEv2 is the answer. Nobody wants to work on L2TP/IPsec in strongSwan since it's dying off and has issues with NAT. Ironically the quoted website, raymil.org recommends exactly the same: No L2TP? The previous tutorials all used L2TP to set up the VPN tunnel and use IPSEC only for the encryption. With the IKEv2 protocol and recent operating systems (like OS X 10.8+, Android 4+, iOS 6+ and Windows 7+) supporting IKEv2 we can also use IPSEC to set up the tunnel, before we used IPSEC to do that. This VPN will therefore not work out of the box on older operating systems. See my other tutorials with L2TP on how to do that.

Office Internet uplink to Cisco Switch, Switch to Netscreen firewall WAN , switch to another HP Switch(Layer 3), Switch to PfSense WAN In some cases a small network draw would be nice to understand it really like you mean it.

I had a similar issue with connections to an ASA, what fixed it for me was checking the disable rekey box in the Phase 1 settings, and I also had issues with Unique IDs at some point so I configure my boxes with "Configure Unique IDs as:" set to No under Advanced IPSec settings.

Yet ironically, some other vendors won't support fqdn on ipsec tunnels, even though they will support a dynamic endpoint. [glares at Palo Alto] It's incredibly annoying as it means you are forced to run aggressive mode, which strongswan doesn't like (for understandable reason). I can't wait until I can get my PAs on v7, which finally adds IKEv2.

OpenVPN worked like a charm. Bye bye PPTP. Carlos

Hi Maybe take a look at my post https://forum.pfsense.org/index.php?topic=104680.0 This my be related to your problem with Shewsoft Thanks

I've had the same issue (in 2.2.5), Azure tunnel seemed to be up, but no traffic. I think i have solved this by setting the PFS key group setting in the phase 2 configuration to Off. The tunnel has been up and functioning well for a week now. I'm not sure if this has any security implications though

@cmb: That's exactly what I said - the one with the xauth options is a mobile P1, the one without is a site to site P1. It's correct, you're trying to edit/create the wrong thing. Edit the mobile P1, or if you don't have one, go to the mobile clients tab and add one. Ah I found it. Seems that you can only get to it from another option and it isn't directly available right from that menu. have to add mobile=true to the url if you wanted to access P1 mobile directly.

Ok.  I hate replying to my own topic, but incase anyone else is having this problem, I thought I would update status… I found out it is indeed an IOS issue....  I was running IOS 9.0.2...  Updated to latest IOS 9.2 and it solved the problem.

I am having the same issue as you. Can you point me what exactly did you add in the Virtual IP network and the proxy arp?

@pforum: I could test that out. I would be the best as I see it right. However, we have sites on version 2.1.5-RELEASE as well as 2.2.2-RELEASE where this isn't happening at all. I don´t know about your versions, but here under the link is described what changes are done in IPSec exactly. New Features and Changes in pfSense 2.2.5

If you have a pfSense Gold Subscription I did a video of the IKEv2 remote access VPN a couple months back. It works fine when the wiki instructions are followed exactly.