I'm answering myself to this "issue" : based on this thread (https://forum.pfsense.org/index.php?topic=88208.msg487019#msg487019) I was able to create the tunnel. The fact that I was using the same originating IP to setup the firewall than the one in the Phase1 in order to setup the tunnel was causing the problem. So I managed to connect to the firewall with another IP, and no more problem. But this is actually kind of weird … Anyway, it works, just remember NOT to connect to a remote firewall with the same IP that you'll be using in your Phase1 setup! HTH. Nicolas

I found this thread https://forum.pfsense.org/index.php?topic=88209.0 After a reboot the tunnel came up. Let's see how long it lasts.

Hello, I'm in the same boat, so I'm curious to know if you managed to setup your IPSec tunnel on the OVH infrastructure? Thanks. Nicolas

Definitely a re keying issue with strongswan >:( suggest switch all links to Openvpn. I already have and with only the most critical ones being handled by a linksys soho router. rgds

I have tried with MD5, SHA1 and also SHA256 with not luck, still same error. I noticed that the IPsec widget one the dashboard only showed 1 tunnel, when it before upgrade showed all 4 so I figured that something where off and the upgraded IPsec settings was fubar. I deleted all IPsec settings both fase1 and 2 from both boxes, and then created them again (with samme settings, screenshot wise) buy only one fase2 tunnel, and now it works :) I then recreated the last 3 tunnels and it still works, so I guess that there was something in the config files that where upgraded wrong. The wigdet are still only show 1 of the 4 fase 2 tunnels, mabee that is a bug ?

Tried all above for the second day but still getting the same issue of IPSEC showing as connected but nothing getting through. >:( EDIT: Seems to be a rekeying issue, Log entries as follow: Feb 16 16:49:50 charon: 07[ENC] generating CREATE_CHILD_SA request 141 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No TSi TSr ] Feb 16 16:49:50 charon: 07[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[4500] (252 bytes) Feb 16 16:49:50 charon: 07[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500] (76 bytes) Feb 16 16:49:50 charon: 07[ENC] parsed CREATE_CHILD_SA response 141 [ N(NO_PROP) ] Feb 16 16:49:50 charon: 07[IKE] <con1|2>received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built Feb 16 16:49:50 charon: 07[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built Feb 16 16:49:50 charon: 07[IKE] <con1|2>failed to establish CHILD_SA, keeping IKE_SA Feb 16 16:49:50 charon: 07[IKE] failed to establish CHILD_SA, keeping IKE_SA Feb 16 16:49:50 charon: 07[IKE] <con1|2>CHILD_SA rekeying failed, trying again in 20 seconds Feb 16 16:49:50 charon: 07[IKE] CHILD_SA rekeying failed, trying again in 20 seconds the log keeps repeating itself until the tunnel is manually disconnected and reconnected. All advise is appreciated. regards</con1|2></con1|2></con1|2>

All settings there are set to silent…

Thanks doktornotor  8)

What do you mean, a routing issue?  The tunnel works 98% of the time, then will drop out for two minutes.  All the networks are reachable from where they expect to be reachable from.  Thanks for your response, I'd like to look into it more if it's actually a potential cause.

Okay, questions: 1. Does ShrewSoft support IKE v2? I'm currently using IKE v1 because I didn't think Shrewsoft supported v2. 2. The GUI states "Whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, reauthentication is always done." So checking the box might not actually change anything? … please correct me if I'm wrong. Thanks A

please refer to the old thread https://208.123.73.68/index.php?topic=83321.0

Probably DNS caches make this not work sometimes, probably the php cache in this instance. Anyhow the userid is a better choice in general.

The first post you mentioned outlines the process. The patch mentioned is no longer required, there is a system option for that setting. If both ends are pfSense, it should be pretty straightforward. If the other end is some other vendor, you'll have to figure out a way to accomplish the same behavior (eg, on MikroTik RouterOS, I have configured some scripts which resolve the dynamic DNS hostnames and modify the config accordingly). Just do it, and post your results ;)

Yeah this bug has been fixed in the repository and will come with pfSense 2.2.1 update.

Thanks all.  I do have DNS set in phase 2.  It simply does not work. See https://forum.pfsense.org/index.php?topic=88226.0 for an identical example with more thorough logs. I suspect a possible migration or upgrade issue, but I would need to find the time to do a clean install.