I can recall not being able to access the webinterface of some TPLink (cheap) APs over an IPSec VPN once, the problem turned to be related to the MTU size. Had to play around with the MSS clamping value to get it to work. If this is the case, Wireshark captures would help a lot your troubleshooting

Thank you! If a diff is made available, I'll gladly test it and report back :)

Edit: This was just a figment of netcat. Happens locally too. ~~One more hint: What are these Xs? 192.168.37.2# nc -l -p 1234 -uvvv listening on [any] 1234 ... 192.168.40.2: inverse host lookup failed: Unknown host connect to [192.168.37.2] from (UNKNOWN) [192.168.40.2] 49339 XXXXXhello ^C sent 0, rcvd 11 192.168.40.2# echo hello | nc 192.168.37.2 1234 -u -vvv Connection to 192.168.37.2 1234 port [udp/*] succeeded! ^C ```~~

I would give the whole idea a second/third/fourth/fifth thought… Benefits with current state of IPSec in pfSense (and strongswan in general) are about zero (and you must be doing something seriously wrong to have similar issues with OpenVPN in the first place.) Not to mention the royal PITA with configuration.

@uk26: it appears PFsense is not able to route IPsec to additional interfaces (OP1) Of course you can, tens of thousands of people's networks including our own wouldn't work if that were true. There is some other difference between what you had and what you have now.

I can't believe all of the options available. It is ridiculous. Guidance seems minimal as well. If we need all of the options then great! Create recipes of known good configurations. Otherwise learning curve is like pole-vaulting a football field. This resource has pictures! Steve Friedl's Unixwiz.net Tech Tips An Illustrated Guide to IPsec http://www.unixwiz.net/techtips/iguide-ipsec.html Hmmm, For the German (Deutsch) speakers out there. I think I lost something in google translate. http://www.heise.de/security/artikel/Einfacher-VPN-Tunnelbau-dank-IKEv2-270056.html

You will need to provide much more information about your IPsec configuration, including which client you used or how you configured the native client. For Windows 8+, the doc wiki article on using IKEv2 with EAP-MSCHAPv2 is likely the best choice for using IPsec built into Windows. Be sure to follow the setup exactly.

i'm not sure, is it possible that the } - char is missing in the charon section of /var/etc/ipsec/strongswan.conf so that (prob.) the setting becomes invalid?  

That's generally not something you'll find outside of Cisco devices. It's not good to tunnel over TCP anyway, stick with UDP.

Everyone, Thank you very much for your help! My understanding is that this https://forum.pfsense.org/index.php?topic=99477.0 post discusses the same type of issue. In the second post, Derelict says that you can 1:1 NAT map the remote LAN, and present their remote subnet as something else: As far as I know, at least one of the SonicWALLs will have to 1:1 NAT their LAN and present it as something else so pfSense doesn't have two routes to the same subnet. If the client does this (or remaps the subnet) we should have no conflicts with the other two subnets, correct? Are there any other avenues/solutions to make a broad change to a large range of IP addresses on a subnet? Thanks again!

Anyone at all have any suggestions? I need to Get the public IP from the cisco unit presented by the pfsense box for VPN connectivity Configure a way for the private IP to connect to the remote sites

Thank you very much for that information. What is slightly more confusing to me is why the order of the definitions in the ipsec.conf file should affect the operation of the links. I am still investigate this and a few other issues relating to the VPNs and I will report back once I have some solid information. Unfortunately, I only get limited time each week to look into these problems. I am observing what is well documented as a memory leak in charon. I am assuming this will eventually be resolved. I am observing some strange NAT issues with the VPNs. At this stage I am just working around these problems. I am investigating a strange issue where VPN tunnels stop passing traffic and then mysteriously start again when a new TCP session opens via the same tunnel. I am investigating the issue with the order of the IPsec definitions and why this should alter the behaviour of the VPN system as a whole. As I said, thank you for the response it will be very useful. Also thanks for the work on pfsense - it is a great product. If I can get the IPsec working reliably it will be a perfect product! Tim

@cmb: The difference is whether or not it has multiple traffic selectors on a single child SA. Which, as responder, will be dependent on what the other end is doing. What is the other end? Sonicwall, don't know exactly what type as I don't control the other end.

Now, I have a stable IPsec tunnel, but i can't reach any client on the remote side. I get the following logs: Sep 20 21:18:08 charon: 15[IKE] <con1000|1>received (30) error notify Sep 20 21:18:08 charon: 15[IKE] <con1000|1>received (30) error notify Sep 20 21:18:08 charon: 15[IKE] <con1000|1>received (30) error notify Sep 20 21:18:08 charon: 15[IKE] <con1000|1>received (30) error notify Sep 20 21:18:08 charon: 15[ENC] <con1000|1>parsed INFORMATIONAL_V1 request 3846293289 [ HASH N((30)) ] Sep 20 21:18:08 charon: 15[NET] <con1000|1>received packet: from 81.217.23.223[500] to 193.81.148.115[500] (76 bytes) Sep 20 21:18:08 charon: 15[NET] <con1000|1>sending packet: from 193.81.148.115[500] to 81.217.23.223[500] (172 bytes) Sep 20 21:18:08 charon: 15[IKE] <con1000|1>sending retransmit 1 of response message ID 3559683763, seq 5 Sep 20 21:18:08 charon: 15[IKE] <con1000|1>sending retransmit 1 of response message ID 3559683763, seq 5 Sep 20 21:18:04 charon: 08[NET] <con1000|1>sending packet: from 193.81.148.115[500] to 81.217.23.223[500] (172 bytes) Sep 20 21:18:04 charon: 08[ENC] <con1000|1>generating QUICK_MODE response 3559683763 [ HASH SA No ID ID ] Sep 20 21:18:04 charon: 08[IKE] <con1000|1>received 28800s lifetime, configured 0s Sep 20 21:18:04 charon: 08[IKE] <con1000|1>received 28800s lifetime, configured 0s Sep 20 21:18:04 charon: 08[ENC] <con1000|1>parsed QUICK_MODE request 3559683763 [ HASH SA No ID ID ] Sep 20 21:18:04 charon: 08[NET] <con1000|1>received packet: from 81.217.23.223[500] to 193.81.148.115[500] (204 bytes) Sep 20 21:17:59 charon: 15[IKE] <con1000|1>received (30) error notify Sep 20 21:17:59 charon: 15[IKE] <con1000|1>received (30) error notify Sep 20 21:17:59 charon: 15[IKE] <con1000|1>received (30) error notify Sep 20 21:17:59 charon: 15[IKE] <con1000|1>received (30) error notify Sep 20 21:17:59 charon: 15[ENC] <con1000|1>parsed INFORMATIONAL_V1 request 3122718413 [ HASH N((30)) ] Sep 20 21:17:59 charon: 15[NET] <con1000|1>received packet: from 81.217.23.223[500] to 193.81.148.115[500] (76 bytes) Sep 20 21:17:59 charon: 15[NET] <con1000|1>sending packet: from 193.81.148.115[500] to 81.217.23.223[500] (172 bytes) Sep 20 21:17:59 charon: 15[IKE] <con1000|1>sending retransmit 1 of response message ID 3922146324, seq 4 Sep 20 21:17:59 charon: 15[IKE] <con1000|1>sending retransmit 1 of response message ID 3922146324, seq 4 Sep 20 21:17:54 charon: 15[NET] <con1000|1>sending packet: from 193.81.148.115[500] to 81.217.23.223[500] (172 bytes) Sep 20 21:17:54 charon: 15[ENC] <con1000|1>generating QUICK_MODE response 3922146324 [ HASH SA No ID ID ] Sep 20 21:17:54 charon: 15[IKE] <con1000|1>received 28800s lifetime, configured 0s Sep 20 21:17:54 charon: 15[IKE] <con1000|1>received 28800s lifetime, configured 0s Sep 20 21:17:54 charon: 15[ENC] <con1000|1>parsed QUICK_MODE request 3922146324 [ HASH SA No ID ID ] Sep 20 21:17:54 charon: 15[NET] <con1000|1>received packet: from 81.217.23.223[500] to 193.81.148.115[500] (204 bytes) Sep 20 21:17:54 charon: 15[NET] <con1000|1>sending packet: from 193.81.148.115[500] to 81.217.23.223[500] (76 bytes) Sep 20 21:17:54 charon: 15[ENC] <con1000|1>generating ID_PROT response 0 [ ID HASH ] Sep 20 21:17:54 charon: 15[IKE] <con1000|1>IKE_SA con1000[1] established between 193.81.148.115[193.81.148.115]...81.217.23.223[81.217.23.223] Sep 20 21:17:54 charon: 15[IKE] <con1000|1>IKE_SA con1000[1] established between 193.81.148.115[193.81.148.115]...81.217.23.223[81.217.23.223]</con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1> Thanks! Thomas