problem solved… I have a misconfig @ Virtual IP.... silly me...

@almabes: I'm experiencing something similar, I think.  I have pfSense support engaged to help figure it out. Do you have any perceptions to that issue meanwhile?

https://34643faf-a-9102fed9-s-sites.googlegroups.com/a/bstecnologia.com.br/imagens/arquivos-para-upload/IMG_20151111_161030415.jpg?attachauth=ANoY7cqQDnOTgXRFUmN2UC-2mao86pTqi0Ae5ZYXInu5meFlPh8zVWkCT6Saqj2uQscr7ca0f_9–-seko4TsW78xlRGvfDJ2_6P-mMf9TFz2YO2h-ZqHfuS4_UGMopsHlg-l3d5htDCOa7lwdX9pPE9zTAzsfT54XvR8W2ctQyMRB5Ie5fPcRSxqnt8R603Zhauc-8D6IfsgDZ-_-yVx29Pz_6k5XvY-F8wTONU4Fr84sPNqHt_Jue9Kt1LI-zVmbTBfFRvLoq9&attredirects=0 https://34643faf-a-9102fed9-s-sites.googlegroups.com/a/bstecnologia.com.br/imagens/arquivos-para-upload/IPSec1.PNG?attachauth=ANoY7coJDONBEW1E4NYBDbRP3AM5JqfSUbG_HgwzVIks3_hyBzHXh3LNBlGXhRedymedl31Ec3dkWxp-7Qsazuz6p61eXronNImNiTuD9kHgRH7mBkK1MIKFs9gghnGOvik7x0or3HmgGxkJ0bCvz5Wjjs4JG0lHFoHqApM9jTPc58w92Kknw3ol91qCoNvE712BtD0hz05arJ7SGE5snlISFPT_bqQ9jANpFl2pGnx5wA4xoUQgA3Q%3D&attredirects=0 Try again. Please

Are you use fixed ip? because I update to 2.2.4 and roadwarrior stops work. I use dynamic dns and change name conf to ip address. ex: (my identifier): dynamic dns: myfirewall.anydns.org - change to: my identifier: ipaddress: (no need nothing here). In client put the dynamic dns.. Works for me!

I've now upgraded to 2.2.5 and the IPSEC logging seems to work slightly differently. To stop all of the DPD traffic logging I've had to set the following Logging Levels in IPSEC Advanced settings to Audit from the default of Control: IPSEC SA Networking Message Encoding Also, the settings are now preserved between re-boots. Is there anyway to get the IPSEC logging to show [P1 Description] (like pre 2.2) as this would make reading the log a lot easier? Regards Peter

I have solved it.I change phase2 of local network to 0.0.0.0/0

Not sure what you mean by IP alias of localhost. It's a Virtual IP Address/IP Alias configured on the WAN interface. It is then chosen in the interface entry of Phase 1, instead of the WAN interface. The reason I do this is to avoid exposing the Mobile VPN on the router's primary IP address.

@gustavo7w: Googling I found that the problem with smb protocol can be fixed changing MTU value. We've also transferred large files with SFTP or SCP and it doesn't have the same speed issues as SMB.  That may be an option for you too.

The problem still exists in 2.2.5.  Upgraded from the Development stream to the production version on Friday and today the tunnels are inoperative and can not be restarted.  The IPSEC task can not be stopped from the GUI or from the command line and the only option is to reboot pfsense.

Thanks for the info. I just used the Apple configurator to use AES256/SHA2…but it seems my Windows 10 VPN wants to use DH group2 (1024). Is there an easy way I can change win10 VPN client to use group 21 DH?

Thanks Itctech. Added 256. I have discovered that the issue is that the iPhone does not like ".me" addresses. Perhaps it does some pre-validation on the device.  I have just registered a .com address and it connects to the server. However using the .me (which is with the same registry and the sme dynamic ns provider and pointing to the same IP) it fails to connect at all. Looks like an Apple issue. So, now I can connect no problems!  Both from my windows tablet AND my iPhone!  YAY!!!!! Thankyou so much for your help.

Ensure that you have put in static routes in AWS VPC for the network on pfSense. Ensure that they have propagated into your routing table on AWS. Check that your Network ACLs and Security Groups allow traffic from the pfSense network to your AWS subnets. Check that the AWS instances don't have a firewall configured that blocks your traffic too.

Just realized I posted it in the wrong subforum. If a mod can move it to IPSEC that would be great. Looks like someone requested this functionality four months ago: https://redmine.pfsense.org/issues/4826 Something as simple as "Auto" in AES selection box on Phase 1 that replicates the proposals for each strength would probably work too.

@cmb: The most significant leaks are now fixed in 2.2.5. Well, we've patched around them, anyway.

What exactly didn't work? And are you certain it was the firewall that didn't work? L2TP/IPsec client support is extremely inconsistent and in some cases broken. Move on to IKEv2… L2TP/IPsec isn't worth the trouble.

EAP-TLS is IKEv2 with per-user certificates.