"AES" is AES-CBC.

You don't route across IPsec. Just need to make sure the additional P2 matches, if IKEv1. For IKEv2, ASAs don't support multiple selectors in the same TS payload yet, so that won't work. We'll implement a workaround likely in 2.3 to accommodate that, as Cisco doesn't seem to be implementing that any time soon. https://redmine.pfsense.org/issues/4704

It was technically wrong to begin with, but racoon didn't care. It's noted in the upgrade guide. https://doc.pfsense.org/index.php/UpgradeGuide#Mobile_client_users.2C_verify_Local_Network

No one know why i can connect only one VPN at the same time ? Best regards

EV wouldn't be any different in that regard.

As you said, not much to go on… Check the IPSEC Phase 2 lifetime.  They must match on both ends. Beware that not all vendors describe the lifetime in the same units (seconds, minutes or hours), so be sure that you are comparing apples to apples. The phase2 lifetime can also be specified in amount of data transferred.  Again, they must match, but don't use time and amount lifetimes at the same time, that gets confusing.

@cmb: Where local subnet is "LAN", it only allows to the LAN subnet. Set that to 0.0.0.0/0 instead to send all traffic across the VPN. Thank you very much, that resolved the problem. It totally makes sense too, can't believe I didn't notice that.

Did you read the warning at https://doc.pfsense.org/index.php/L2TP/IPsec ? Drop L2TP/IPsec and go for IKEv2 https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

You cannot do what you're trying to do: https://forum.pfsense.org/index.php?topic=90753.msg504731#msg504731 Install and setup NPS/IAS on your AD server. Add it as a RADIUS server to pfSense. Then use EAP-Radius for authentication.

@cmb: Does the a.a.a.a/24 and b.b.b.b/24 match what you would expect? It should only generate that response if those subnets don't match the config. It matches perfectly, also in the log fragment it actually fails. I just can't understand why it works fine for hours with multiple phase2 rekeyings gone well and then all of a sudden it should not match anymore? Can both sites initiatie a phase2 rekey? From what I have seen now it's alway strongswan rejecting the Fortinet TS after a while, but initial the connection works fine initiatited from both sites. For one connection I ended up with a phase1 lifetime of 28800 and a phase2 lifetime of 86400. In that case a rekey of phase2 should never happen. So far it seems stable, but only one day had passed so far.

The connections are identified by the conXX entry in the log line. Can match that up via 'ipsec statusall' output or checking /var/etc/ipsec/ipsec.conf if you aren't sure what's what. The bulk of the logs are the same things expressed somewhat differently given it's a different keying daemon, but nothing difficult to grasp if you understand IPsec (which was a requirement for racoon's logs in 2.1x and earlier anyway). We'll probably bring back the connection description in the GUI log display at some point, but it's not a major usability hindrance.

FIXED: Thanks for the replies. I can confirm that the reason was due to the fact that our key had a space character at the end. This page is very helpful: https://doc.pfsense.org/index.php/IPsec_Troubleshooting