I know how automatic rules turn into manual ones. My question is what created the automatic rules in the first place (IOW, what's their root cause?), in particular since they only appeared at one site, without a difference between the sites that could explain them (to me).

Yeah I've double checked all of that, the client doesn't want to upgrade yet because he is afraid of it causing issues.  But i think that may be the only choice

@jimp: I don't have the link handy but someone else here on the forum posted that they were able to get the powershell command to work to allow for split tunneling. That may have been on Windows 8, though, I'm not sure if it also works on 7. It's worth a shot though. The powershell commands are only for windows 8/10. No luck on 7. It seems the only way this can work with windows 7 is. Route all traffic over tunnel (Use Default Gateway on Remote Network selected on windows 7 client) Add Routes manually when connected to VPN Client

So in my case doesn't show me any relevant information :(

And importantly…add firewall rules... [image: 13_Screenshot_at_Dec_04_08_22_25.jpg]

I use Shrewsoft on 10.11.1 because I also use Windows 10 which allowed me to standardized my firewall settings and clients configurations for both platform.  Here's 10.11.1 I used as late as 12/02/2015 - http://nubisnovem.com/el-capitan-solution-mac-os-x-10-11-and-shrew-soft-vpn-client/ I added my configurations for Firewall and Client via screenshots here - https://forum.pfsense.org/index.php?topic=102825.0  - this works and is used for both Windows 7-10 and latest MAC OS X

That's a known issue with L2TP/IPsec on Windows Clients. See the warning here: https://doc.pfsense.org/index.php/L2TP/IPsec I've move on to IKEv2, L2TP/IPsec is not a good choice these days.

Guessing that's not your mobile P1 you're looking at. The others are only applicable and configurable for mobile.

You remove the input validation to get that to work? There are reasons that config isn't permitted by the GUI. It should come up fine when traffic triggers it though.

Split this to its own topic as it's not at all related to the thread you posted in. "received INVALID_ID_INFORMATION error notify" means your identifiers don't match. They wouldn't have before the upgrade either, racoon just (wrongly, really) didn't care. Info here: https://doc.pfsense.org/index.php/UpgradeGuide#Stricter_Phase_1_Identifier_Validation If you're using non-IP identifiers, you'll need to switch back to aggressive mode, and fix the P1s on both sides so the identifiers match.

By chance it is possible to use an OpenVPN tunnel between site A and Site B, and after create a Pfsense rule to send packet from site A to site C? thank you

Got it fixed. Ive put the local nets Ingo the routing section, seperated by space and everything works now AS it should. Not sure if all traffic is Router through the ipsec Tunnel, but that isnt important for me.

Just to follow up again this Error seems to hit the main dashboard page if the IPSEC Widget is enabled and also affects the Statis->IPSEC page.

Hi, i know that mikrotik + pfsense  is working. Is phase1 ok ? –>yes go to phase2 is phase2 ok ? From mikrotic forum: When you want to make a direct IPsec tunnel between MikroTik routers you must make sure that you have an exception rule in your NAT table for traffic from the local to the remote network which says "accept" (before your general rule that says "masquerade" or "src-nat"). When you do not do that, the router will mistakenly NAT the traffic before it puts it into the tunnel, and no communication will be possible. I used on phase 1 Encryption algorithm AES 256 Hash algorithm | SHA1 DH key group 2(1024) Lifetime 86400 phase2 Protocol ESP Encryption algorithms AES (auto) Hash algorithms SHA1 PFS key group 2(1024) Lifetime 1800 With other setting i ran in trouble. regards max |

Have just added IP range of my local network to VPN Connections > Static Routes tab in the AWS VPC console and am now able to access AWS Private subnet hosts from local hosts but not from the router itself.

jimp, thank you for the clarification. Regards yarick123