FWIW, I've spent many hours trying to get a reliable VPN between PFSense 2.2.1 and a Draytek with IPSEC. Draytek to Draytek works fine but the PFSense VPN drops out and/or fires up multiple Phase 2's after which traffic doesn't flow :(

I've tried setting the Draktek as outgoing only/incoming and both and tried telling PFSense to only be a responder. No difference.

I'd love to know what the trick is.

I am seeing this as well, however I didn't realize that was the problem and was digging into the IPSec connection settings until I ran across this post, stopping and starting IPSec services, etc, reloading the filter is the fix. I haven't figured out anything more on why yet, but now that I know its a filter issue and not an IPSec issue. I at least know where to look now.

Good that it works now. ;)

@kodimar:

My research has pointed that the NO_PROPOSAL_CHOSEN error is caused by an error in the Phase 2 settings.  Is this a correct assumption?

It can be either Phase 1 or Phase 2. See https://doc.pfsense.org/index.php/IPsec_Troubleshooting for help interpreting the logs.

Best thing to do is set IKE SA, IKE Child SA, and Configuration Backend to Diag in the log settings, all others on Control, and have the remote end initiate.

Ok so I do understand the basics of setkey after I have been reading up on this all day.
But I can't seem to add any entries.
It doesn't matter what I type into the command line the only response I get is:
setkey: No match.

I am trying to setup the captive portal on the OPT1 interface, but because the interface is not reachable because I have an IPSec tunnel from the interface the captive portal does not work.

My interface is IP: 10.11.15.1/24

Could someone please help me out with the command for setkey?

Thanks

yes,
there I created a any-any-any rule so it's not blocked by firewall (normally)

When I start debug on te SRX side I see that traffic is going into the tunnel, but not coming out on other side :-)

now I check the Virtual IP bug
look the responder only mode
and all other points from this Post on last Days.

I have no clue what ist wong after the update to 2.2.1

always wrong remote address

???

Thanks for your Help

thanks everyone!
We use VPN tunnels to a lot of 3rd party devices, including ASA, Fortigate, Sonicwall, Palo Alto, etc. I can confirm that you don't need Route-based or Policy-based on both end, it's only matter locally.
well, for now, we can go with Policy-based, once there is a need, I'll look into these options again.

I have fixed it. Just restart the Fritzbox. There was no issue in my config.

Because they do not match!

Hmmm… so post some logs about how's it now working.