So I'm an idiot.  There wasn't an IPsec allow rule on the firewall setup.  In my defense, it's more than 3 private networks actually, and I didn't set things up, and sitting there staring at the firewall rules it kinda all looks dandy even when you're having problems.  Man, props to the peplink guys though as they went above and beyond.  Ha, in my defense again though, I'm the guy that stared at the pfctl -sa output and finally had things dawn on me.  Anyhow, if anyone else encounters this issue?  Don't be an idiot?

@maxxer: @zllovesuki: Therefore, every mobile client needs to have the self signed CA installed. For strongSwan client, the X.509 server certificate needs to be installed as well. So to use IPsec with IKEv2 you need to import a cert on the mobile client? I managed to get IPSec back to work with IKEv1, but now my Ubuntu client won't connect anymore. I was wondering if moving to IKEv2 could solve both issues, but cannot manage it to authenticate. i found here that android 4.4 should work with EAP-MSCHAPv2, which from what I understand is still a user/pass method, but it won't work here… Yes, you need to install/import the CA that issued the e IPSec certificate.

Yeah, this one can safely be deleted unless you intend to debug why's it crashing.

Yeah, thanks for grasping this former question. Currently, everything is working as expected with the help of a correspondingly configured DNS forwarder. But I consider adding to future certificates two CRL URLs: One with a public address and one with a LAN address. I have just spent some time to re-issue most of my certificates due to expiry range 1 year and I am glad not being forced to do it again although those certificates do just protect my ambitious home LAN  ;) Regards, Peter

@jimp: If the Phase 1 was between the WAN IP of the firewall and the IP address you were coming from Yes, good guess, I didn't think of it while trying to regain access. It might be a good idea to (at least) add a line somewhere about "changing ip address". It would too resolve "5 Locked Out by Too Many Failed Login Attempts"

Hi, I can confirm I had the same symptoms with 2.2. But I had to go back with 2.1.5 because of IPsec multiple p2 problems. So you are not alone. Regards

If you apply this patch then /usr/local/sbin/pfSsh.php playback restartipsec should work.

Attached another set of logs after a disconnect. This time with compression ON I can also see this on the console: ipcomp_output_cb: compressions was useless 104 - 20 <= 86 1.1.1.1.txt 2.2.2.2.txt

new topic for same problem ? :o yes main mode on both. I redo a config vpn to test.

You don't actually have to use the public IP it's using, for that case behind NAT you could let it use its private WAN IP as the ID. Just make sure both ends are set to match accordingly for that private IP.

Thank you very much ermal, it seems the farp plugin would enable both scenarios I'm considering and it would explain why phase 2 entries for the virtual network assigned to mobile clients do not work as I was expecting.

@cmb: @doktornotor: What kind of holdover? 2.1.5 was using racoon, not strongswan. Yeah, the 2.1.5 config was for racoon, strongswan in 2.2 certainly isn't picking that up. The strongswan.conf file doktornotor pointed out is the only one it can load the banner from. It definitely couldn't persist across a reboot if it's correct in strongswan.conf. Maybe the client is caching it? Or you're connecting to a different server. We're definitely connecting to the correct server, but I'm wondering if the client is caching it. We'll completely remove the connection on the client and rebuild it. Thanks.

Hi, thanks for the replys… I'll be doing this changes this afternoon, and I'll leave a feedback. Thanks for the help

@cmb: Go back to IKEv2 on both sides. Then stop and start strongswan on both sides to make sure it definitely clears out the old IKEv1. That should do it. If you still can't pass traffic, post back what your IPsec status screen looks like. If it doesn't work, PM me if we can arrange remote access or Gotomeeting to check it out. Thanks for your reply, I have finally managed to make it work but unfortunately i have still had to revert back to 2.1.5, basically for IPSEC between 2.2, i had to create the tunnels all over again and disable cisco unity puglin, Also the tunnels only manged to start up for me in IKE V1, the reason i reverted back to 2.1.5 is because after disabling Cisco unity plugin, all my tunnels to our HO's Hub wouldn't start up. (they still use Cisco units) unfortunately i didn't have enough time to fiddle with this more as i already had appx 8 hours downtime and cannot push this anymore. thanks for your help again. i will definitely update to 2.2 once these outstanding issues have been address.

OK, removed manual routes I added, disabled IPSec, rebooted, re-enabled IPSec - routes are there: /root: pfctl -sa | egrep "isakmp|nat-t|esp" | grep pass pass out proto udp from any to any port = isakmp keep state label "IPsec:  any  - outbound isakmp" pass in on vr1 proto udp from any to any port = isakmp keep state label "IPsec:  any  - inbound isakmp" pass out proto udp from any to any port = sae-urn keep state label "IPsec:  any  - outbound nat-t" pass in on vr1 proto udp from any to any port = sae-urn keep state label "IPsec:  any  - inbound nat-t" pass out proto esp all keep state label "IPsec:  any  - outbound esp proto" pass in on vr1 proto esp all keep state label "IPsec:  any  - inbound esp proto" Thanks!