please refer to the old thread https://208.123.73.68/index.php?topic=83321.0

Probably DNS caches make this not work sometimes, probably the php cache in this instance.

Anyhow the userid is a better choice in general.

The first post you mentioned outlines the process. The patch mentioned is no longer required, there is a system option for that setting.

If both ends are pfSense, it should be pretty straightforward. If the other end is some other vendor, you'll have to figure out a way to accomplish the same behavior (eg, on MikroTik RouterOS, I have configured some scripts which resolve the dynamic DNS hostnames and modify the config accordingly).

Just do it, and post your results ;)

Yeah this bug has been fixed in the repository and will come with pfSense 2.2.1 update.

Thanks all.  I do have DNS set in phase 2.  It simply does not work.

See https://forum.pfsense.org/index.php?topic=88226.0 for an identical example with more thorough logs.

I suspect a possible migration or upgrade issue, but I would need to find the time to do a clean install.

So I'm an idiot.  There wasn't an IPsec allow rule on the firewall setup.  In my defense, it's more than 3 private networks actually, and I didn't set things up, and sitting there staring at the firewall rules it kinda all looks dandy even when you're having problems.  Man, props to the peplink guys though as they went above and beyond.  Ha, in my defense again though, I'm the guy that stared at the pfctl -sa output and finally had things dawn on me.  Anyhow, if anyone else encounters this issue?  Don't be an idiot?

@maxxer:

@zllovesuki:

Therefore, every mobile client needs to have the self signed CA installed. For strongSwan client, the X.509 server certificate needs to be installed as well.

So to use IPsec with IKEv2 you need to import a cert on the mobile client?

I managed to get IPSec back to work with IKEv1, but now my Ubuntu client won't connect anymore. I was wondering if moving to IKEv2 could solve both issues, but cannot manage it to authenticate.
i found here that android 4.4 should work with EAP-MSCHAPv2, which from what I understand is still a user/pass method, but it won't work here…

Yes, you need to install/import the CA that issued the e IPSec certificate.

Yeah, this one can safely be deleted unless you intend to debug why's it crashing.

Yeah, thanks for grasping this former question. Currently, everything is working as expected with the help of a correspondingly configured DNS forwarder. But I consider adding to future certificates two CRL URLs: One with a public address and one with a LAN address. I have just spent some time to re-issue most of my certificates due to expiry range 1 year and I am glad not being forced to do it again although those certificates do just protect my ambitious home LAN  ;)

Regards,
Peter

@jimp:

If the Phase 1 was between the WAN IP of the firewall and the IP address you were coming from

Yes, good guess, I didn't think of it while trying to regain access.
It might be a good idea to (at least) add a line somewhere about "changing ip address".
It would too resolve "5 Locked Out by Too Many Failed Login Attempts"

Hi,

I can confirm I had the same symptoms with 2.2. But I had to go back with 2.1.5 because of IPsec multiple p2 problems.

So you are not alone.

Regards

If you apply this patch then

should work.

Attached another set of logs after a disconnect.
This time with compression ON

I can also see this on the console:
ipcomp_output_cb: compressions was useless 104 - 20 <= 86

1.1.1.1.txt
2.2.2.2.txt

new topic for same problem ? :o

yes main mode on both.

I redo a config vpn to test.

You don't actually have to use the public IP it's using, for that case behind NAT you could let it use its private WAN IP as the ID. Just make sure both ends are set to match accordingly for that private IP.