The underlying keying daemon used in 2.2x and newer, strongswan, doesn't have an option to completely disable NAT-T. Leaving it to auto is best. There's no need to disable it.

Verify range to target…  :)

It works similarly to how lookups are handled for aliases. It's checked every few minutes and if the DNS entry has changed, /etc/rc.newipsecdns is run. I believe it's also checked when the tunnel settings are synchronized so that the IP address may be written into the ipsec configuration.

Uncheck "Use Default Gateway on Remote Network" in the advanced TCP/IP settings of the VPN connection. See e.g. https://support.microsoft.com/en-us/kb/317025 for details.

Unfortunately not an uncommon issue with cable, and tends to be difficult to get the cable company to track down or even admit there's a problem. Glad you were able to get them to find and fix it.

nobody help me ??!!!
i check every thing  and all setting is ok and tunnel connected bud traffic not pass from lan subnet to destination lan subnet from ipsec tunnel ! :P

Staff believe that is the problem: https://redmine.pfsense.org/issues/4504

Someone al uses version 2.2.2? it will not downgrade to version 2.1.5

Thz.

After much trial and error, I'm finally able to get L2TP/IPsec and IKEv2 working (separately, not at the same time) . However, at this time it seems I need to make a decision.

My VPN needs to support both Windows & Apple devices. Some of the Windows devices (i.e. tablets) don't have third-party client software available to support straight IPsec VPN. (this means OpenVPN is also not an option)

The choices are:

Support only iDevices using L2TP/IPsec*

Support only Windows devices using IKEv2*

Unless someone can point me to documentation explaining how to support both protocols at once.

StrongSwan has an OS X client that is supposed to provide IKEv2 connectivity. However, there is zero documentation, and the GUI completely non-intuitive.

I have similar issues - so far been total catatrophe when changed to StongSwan! I have anything good to say about this change. Racoon worked fine but it has it's known limitations.

We have now also problems with pure site-to-site vpn too where packets just stops flow ( that will be covered othe thread)

The root cause of that issue is https://redmine.pfsense.org/issues/4538 which is fixed for 2.2.2.

That's been brought back for 2.2.2. Snapshots are available @ https://snapshots.pfsense.org. That'll be release soon, but is fine to try now if you need this right away.

https://doc.pfsense.org/index.php/IPsec_Troubleshooting

This https://forum.pfsense.org/index.php?topic=91627.0 seems to solve it.

Hi charlien,

does your issue look like this?
https://forum.pfsense.org/index.php?topic=91020.0
Many Phase II tunnels for only a single SA? Phase I established? No data went through?

With the new Fritzbox 7490 it works. Thanks!

I was able to fix the issue by removing virtual network adapter for VM in hyper-v and add new one. After that all works. For some reason OPT1 was using difference MAC address than virtual NIC assigned in hyper-v. All is good now and working correctly.

If you're sure the tunnel gets build in the right manner then only the rules pls!

Can u post a detail from you p1 en p2!
Don't forget to blank out passwords/keys etc!

Also your rules from f1 and f2 pls?
Or replace your internal addresses if you don't wanna show these! (or pm me? I'm in GMT+2)