Thanks!  Been so busy today I didn't have a chance to write and say that I'd done that, but the tunnel still didn't appear to be working, but then we disabled and re-enabled it on a whim and then it suddenly decided to start working!

Sometimes it's finding these solutions that can be maddening and at the same time, have you cheering out loud in your cube.

Just to update folks on the forum. We have been following this issue for a while and it appears the Devs were finally able to replicate this. Looks like a fix is being tragetted for 2.2.1. You can follow the link below to monitor progress.

https://redmine.pfsense.org/issues/4341

@nikolaii:

Hello, just one word: brilliant!

I followed your instructions and everything worked flawlessly :)

Thank you.
Nicolas

Cool! Glad to hear it worked for you! :-)

I'm answering myself to this "issue" :

based on this thread (https://forum.pfsense.org/index.php?topic=88208.msg487019#msg487019) I was able to create the tunnel.

The fact that I was using the same originating IP to setup the firewall than the one in the Phase1 in order to setup the tunnel was causing the problem. So I managed to connect to the firewall with another IP, and no more problem.

But this is actually kind of weird …

Anyway, it works, just remember NOT to connect to a remote firewall with the same IP that you'll be using in your Phase1 setup!

HTH.
Nicolas

I found this thread https://forum.pfsense.org/index.php?topic=88209.0

After a reboot the tunnel came up. Let's see how long it lasts.

Hello, I'm in the same boat, so I'm curious to know if you managed to setup your IPSec tunnel on the OVH infrastructure?

Thanks.
Nicolas

Definitely a re keying issue with strongswan >:(

suggest switch all links to Openvpn. I already have and with only the most critical ones being handled by a linksys soho router.

rgds

I have tried with MD5, SHA1 and also SHA256 with not luck, still same error.

I noticed that the IPsec widget one the dashboard only showed 1 tunnel, when it before upgrade showed all 4 so I figured that something where off and the upgraded IPsec settings was fubar.
I deleted all IPsec settings both fase1 and 2 from both boxes, and then created them again (with samme settings, screenshot wise) buy only one fase2 tunnel, and now it works :) I then recreated the last 3 tunnels and it still works, so I guess that there was something in the config files that where upgraded wrong.

The wigdet are still only show 1 of the 4 fase 2 tunnels, mabee that is a bug ?

Tried all above for the second day but still getting the same issue of IPSEC showing as connected but nothing getting through. >:(

EDIT: Seems to be a rekeying issue,

Log entries as follow:

Feb 16 16:49:50 charon: 07[ENC] generating CREATE_CHILD_SA request 141 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No TSi TSr ]
Feb 16 16:49:50 charon: 07[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[4500] (252 bytes)
Feb 16 16:49:50 charon: 07[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500] (76 bytes)
Feb 16 16:49:50 charon: 07[ENC] parsed CREATE_CHILD_SA response 141 [ N(NO_PROP) ]
Feb 16 16:49:50 charon: 07[IKE] <con1|2>received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Feb 16 16:49:50 charon: 07[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Feb 16 16:49:50 charon: 07[IKE] <con1|2>failed to establish CHILD_SA, keeping IKE_SA
Feb 16 16:49:50 charon: 07[IKE] failed to establish CHILD_SA, keeping IKE_SA
Feb 16 16:49:50 charon: 07[IKE] <con1|2>CHILD_SA rekeying failed, trying again in 20 seconds
Feb 16 16:49:50 charon: 07[IKE] CHILD_SA rekeying failed, trying again in 20 seconds

the log keeps repeating itself until the tunnel is manually disconnected and reconnected.

All advise is appreciated.

regards</con1|2></con1|2></con1|2>

All settings there are set to silent…

Thanks doktornotor  8)

What do you mean, a routing issue?  The tunnel works 98% of the time, then will drop out for two minutes.  All the networks are reachable from where they expect to be reachable from.  Thanks for your response, I'd like to look into it more if it's actually a potential cause.

Okay, questions:

1. Does ShrewSoft support IKE v2? I'm currently using IKE v1 because I didn't think Shrewsoft supported v2.

2. The GUI states "Whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, reauthentication is always done."

So checking the box might not actually change anything? … please correct me if I'm wrong.

Thanks
A