@ttblum: I believe pfSense does have the feature to NAT over IPSec in this way. There is a BINAT option in the phase2. I haven't tried using public IPs, but it should work. @ttblum: I don't have very many public IPs available to use, can I pick some random IP addresses from a foreign country's IP space that we're not likely to communicate with? That's not gonna work, they have to be your public IPs.

I have the same exact issue.  pfSense ipsec to Cisco ipsec.  It's configured to use BINAT.  I have a pingable host in the field Automatically ping host.  But pfSense does not keep the VPN alive.  I have to start pinging from a host on the network before the VPN will establish.

Well, got it working. I tried over from another pc, which has a true IPV6 address. I can now setup the IPv6 OpenVPN tunnel. Also I can now access IPV4 resources on the LAN, Through the IPv6 tunnel. I gave up trying through Teredo

You can use the ping host functionality which will trigger that.

Normally you have imported even the private key in pfSense right? Can you make sure of that? Also can you check if the private key has been put on /var/etc/ipsec/ipsec.d/private?

Who can help me?

Is this the issue I've been having? https://redmine.pfsense.org/issues/4719

And yes, afterwards - its Cisco bug related issue… https://redmine.pfsense.org/issues/4704

Sorry, question is irrelevant now. After some careful thinking, i realized that this will be impossible. At first, i thought i will need to make CRLs from endpoint service CA, which i installed specifically for IPSec certificates publishing, available from WAN for checking, which i can do. But i realized, that in case of strict check, StrongSwan will require all CRLs available - from root and intermediate CAs too. Those i don`t want to publish to WAN.

I can reproduce it by clean installing pfSense, enabling IPsec and activate mss clamping. No more webgui, no more ssh as soon as I submit. I tried searching the logs via an attached display and keyboard but could not find anything suspicious.

Yeah the hosts need the tunning since they generate the traffic IPsec cannot do much here.

I found the issue, was a typo on my site with the subnet masks in one of my aliases I used in a firewall rule.

Hi, I just saw it myself :) I have a typo in my aliases I put in a /16 instead of /12 in my private network alias for 172.16.0.0 Thanks for your help ermal

AS it is today there is not yet the binding of a specific user to an ip for mobile clients. That would allow you to perform that. It is possible in the underlying software but is not exposed to the GUI.

You mean aaa.aaa.aaa.aaa and so on? These are only for anonymizing, the log contains correct ip's.

I enable mobile clients on ipsec tab，is it possible that I have set something wrong in the rules->IPSec tab？

Dump the contents of the generated StrongSwan configuration on pfSense, it looks like you have it configured for esp = aes128gcm128-sha1-modp1024! which is different to the other side.

@jmesser: I have had no trouble in Ipsec with my 2.2.1 production boxes. 2.2.2 upgrade broke Ipsec for me with 2 P2 entries. when i rolled back to 2.2.1 Ipsec again works without trouble. just FYI. That's almost certainly fixed by the reqid change here: https://github.com/pfsense/pfsense/commit/afd0c1f2c9c46eaa8e496e98bea8a8e0887d504f 2.2.1 and earlier have strongswan 5.2.x, where specifying the reqid works around a rekeying problem. 2.2.2 and 2.2.3 snapshots have strongswan 5.3.0, where the problem that required specifying the reqid is gone, and with multiple P2s doing so can cause you to hit a race condition in strongswan where it duplicates reqids, which breaks multi-P2 where you hit it.