Hello Chris, I used web gui for configuration on latest beta firmware (6.21), they had some issues on 6.20 with ssl connections. Cheers, Tomek

Yeah, you can switch the Drayteks to "Dialo out only" and "always on". This is the setup that always worked for us. On the problematic sites I switched to dial in AND out, so it's initiated, when someone starts working at the site. But that does not really help. After 7,5 hours the pfsense initiates the reconnect and the Draytek shows, that its still connected. The workaround at the time is to put up the phase 2 lifetime to 12 hours. So the problem occurs, when nobody is working.

Is there a reason you're forcing NAT-T? That shouldn't be necessary and could be the reason if you're in a circumstance where NAT-T isn't required.

Sonicwall has the same bug/lacking feature as Cisco ASAs with IKEv2 there. https://redmine.pfsense.org/issues/4704

Have you tried the client export package for pfSense? This is all I could find but it's for 2.0.1: https://forum.pfsense.org/index.php?topic=56513.0 I don't see how it's possible to assign a static IP to an IPsec mobile user unless there's something buried in the RADIUS code that does it.

Not ATM.

It was a plain and simple routing problem on the client PC. As soon as I added the route; route -p add 10.0.0.0 mask 255.0.0.0 192.168.1.1 It works like a charm now !

@gazoo: that's the iphone doing aggressive, i've got the server set for main. Your server needs to match your client. P1: IKEv1 aggressive, mutual PSK + XAuth, local ID IP address, peer ID user DN, AES256 SHA1 DH group 2. P2: Tunnel mode, local network 0.0.0.0/0, AES256 SHA1 no PFS

https://forum.pfsense.org/index.php?topic=96767.0

Took some time but it stays as reported. The error never occured again. But I have witnessed it on ALL my connections in question. Those were at least ~35 connections between ~5 Pfsense installations in question so I did not make this reportings out of the blue. Clueless on what may have stopped it - rebooting? Saving general-IPSEC config for the first time after Upgrade setting some crucial param for strongswan? Anyway the process of Upgrading is now done and all connections are now on IKEv2 which feels much smoother now. Everything works great. Monitoring shows a total of 324 Connections between 18 Boxes all happily connected all week long with 0 downtime  ::). I wrote myself a script for compiling the Configs this times which really speeded things up  8). I still encountered another minor issue but will make some extra thread… Regards and thanks again

At the moment I don't believe that is possible. Last I saw, the code for IKEv2 with EAP in strongSwan only worked with users entered directly into the Pre-Shared Keys tab on IPsec. It's something we'd like to see working eventually though.

thanks for the rapid response!