Thanks for the follow up. The ones that were working had to have been initiators rather than responders in that case, as your modem likely was only blocking inbound, not outbound, traffic.

@David_W:

If possible, I would try to edit the configuration to reduce the maximum packet size needed.

Indeed, ipfire is almost certainly doing something wrong, or has a poor config, where it's sending 10000+ bytes there.

What David noted will work around the issue, and we ought to have that available as a tunable value. But you should really figure out why that's happening and fix the config on the ipfire side.

Upon looking at this further, I can see that the phase two entry I setup is not coming up as the rest of the tunnels are. I have verified, by turning on logging on the pass rule on the LAN interface, that my traffic is hitting the PFsense box and that the traffic is being passed.

What I can't find a way to see, is where that traffic goes. Why doesn't the phase two entry come up after matching that traffic. I am digging into the IPsec logs, but it's difficult to read. there are a few tunnels working already, so there is a bunch of stuff in there.

problem solved…

I have a misconfig @ Virtual IP.... silly me...

@almabes:

I'm experiencing something similar, I think.  I have pfSense support engaged to help figure it out.

Do you have any perceptions to that issue meanwhile?

https://34643faf-a-9102fed9-s-sites.googlegroups.com/a/bstecnologia.com.br/imagens/arquivos-para-upload/IMG_20151111_161030415.jpg?attachauth=ANoY7cqQDnOTgXRFUmN2UC-2mao86pTqi0Ae5ZYXInu5meFlPh8zVWkCT6Saqj2uQscr7ca0f_9–-seko4TsW78xlRGvfDJ2_6P-mMf9TFz2YO2h-ZqHfuS4_UGMopsHlg-l3d5htDCOa7lwdX9pPE9zTAzsfT54XvR8W2ctQyMRB5Ie5fPcRSxqnt8R603Zhauc-8D6IfsgDZ-_-yVx29Pz_6k5XvY-F8wTONU4Fr84sPNqHt_Jue9Kt1LI-zVmbTBfFRvLoq9&attredirects=0

https://34643faf-a-9102fed9-s-sites.googlegroups.com/a/bstecnologia.com.br/imagens/arquivos-para-upload/IPSec1.PNG?attachauth=ANoY7coJDONBEW1E4NYBDbRP3AM5JqfSUbG_HgwzVIks3_hyBzHXh3LNBlGXhRedymedl31Ec3dkWxp-7Qsazuz6p61eXronNImNiTuD9kHgRH7mBkK1MIKFs9gghnGOvik7x0or3HmgGxkJ0bCvz5Wjjs4JG0lHFoHqApM9jTPc58w92Kknw3ol91qCoNvE712BtD0hz05arJ7SGE5snlISFPT_bqQ9jANpFl2pGnx5wA4xoUQgA3Q%3D&attredirects=0

Try again. Please

Are you use fixed ip? because I update to 2.2.4 and roadwarrior stops work.
I use dynamic dns and change name conf to ip address. ex: (my identifier): dynamic dns: myfirewall.anydns.org - change to: my identifier: ipaddress: (no need nothing here). In client put the dynamic dns..
Works for me!

I've now upgraded to 2.2.5 and the IPSEC logging seems to work slightly differently.

To stop all of the DPD traffic logging I've had to set the following Logging Levels in IPSEC Advanced settings to Audit from the default of Control:

IPSEC SA
Networking
Message Encoding

Also, the settings are now preserved between re-boots.

Is there anyway to get the IPSEC logging to show [P1 Description] (like pre 2.2) as this would make reading the log a lot easier?

Regards

Peter

I have solved it.I change phase2 of local network to 0.0.0.0/0

Not sure what you mean by IP alias of localhost. It's a Virtual IP Address/IP Alias configured on the WAN interface. It is then chosen in the interface entry of Phase 1, instead of the WAN interface.

The reason I do this is to avoid exposing the Mobile VPN on the router's primary IP address.

@gustavo7w:

Googling I found that the problem with smb protocol can be fixed changing MTU value.

We've also transferred large files with SFTP or SCP and it doesn't have the same speed issues as SMB.  That may be an option for you too.

The problem still exists in 2.2.5.  Upgraded from the Development stream to the production version on Friday and today the tunnels are inoperative and can not be restarted.  The IPSEC task can not be stopped from the GUI or from the command line and the only option is to reboot pfsense.

Thanks for the info.

I just used the Apple configurator to use AES256/SHA2…but it seems my Windows 10 VPN wants to use DH group2 (1024).

Is there an easy way I can change win10 VPN client to use group 21 DH?

Thanks Itctech. Added 256.

I have discovered that the issue is that the iPhone does not like ".me" addresses.
Perhaps it does some pre-validation on the device.  I have just registered a .com address and it connects to the server.
However using the .me (which is with the same registry and the sme dynamic ns provider and pointing to the same IP) it fails to connect at all.

Looks like an Apple issue.

So, now I can connect no problems!  Both from my windows tablet AND my iPhone!  YAY!!!!!

Thankyou so much for your help.

Ensure that you have put in static routes in AWS VPC for the network on pfSense. Ensure that they have propagated into your routing table on AWS. Check that your Network ACLs and Security Groups allow traffic from the pfSense network to your AWS subnets. Check that the AWS instances don't have a firewall configured that blocks your traffic too.

Just realized I posted it in the wrong subforum. If a mod can move it to IPSEC that would be great.

Looks like someone requested this functionality four months ago:
https://redmine.pfsense.org/issues/4826

Something as simple as "Auto" in AES selection box on Phase 1 that replicates the proposals for each strength would probably work too.