Ok, that looks like it corrected the core dump issue at least, though I'm having no luck with getting my Android phone connected.  I don't know where to look from there.

I used the mobile client tutorial to no avail, but I'm not sure which end is not working correctly now, but that's likely for another topic.

Me responding to myself again. ;-)

Could please someone give me an answer why I didn't get any response? Stupid Question? (I don't think so)

Not enough information given?

Everyone assuming me to be unable to check for similar entries on both sides of the tunnel?

I assume noone had any idea. Well I was hoping for advice of some experienced users / admins here….

Nonetheless I fixed it finally by reinstalling one PfSense Box (the "Static" one) after it gave me an error every time i tried to save the Phase 1 Settings. (Acknowledge All Notices -Date- [ pfSense is restoring the configuration /cf/conf/backup/config-1391473112.xml] )

Restoring my backed-up configuration led to the same error, so I installed again from scratch. ;-) (Hope no neighbour heard me…)

Turned out that the "restoring configuration" error at saving the Phase 1 settings seems to be a reproduceble bug, when a german umlaut (ß, ü, ä ...) is used in the PSK.  https://redmine.pfsense.org/issues/3401 (NOT used initially, just used later to have an "easy to type key")

The 2 PfSenses are working together now with the settings Fritzbox needs. Still the reconnecting issue though, which seems to be fixed in 2.1.1 prerelease. https://redmine.pfsense.org/issues/3321

I don't expect any errors connecting the Fritzbox tomorrow.

Conclusion:

1.: There must have been a bug in the installation / configuration that produced the initial problem without any errors in the logfiles and was resolved by reinstalling. Restoring the configuration should have worked, it just restored the faulty characters too. ;-)
2.: If there is a bug in any Software I use, I,ll run into it. Karma.
3.: Don't try to get help in Internet Forums, if the solution is not already posted.

CU

itsol

Unchecking that does change the output.  Unfortunately, it now appears to be defaulting to the 1st VPN for all subsequent entries.

Ok I tracked down and solved one huge problem I was experiencing :) and have now found a new one.  :(

It turns out there is a nasty bug in the built-in Apple iPhone iOS 7.0.4 IPSec client. I had started off with (standard) Racoon in Ubuntu, and then tried pfSense both configured to PSK, and therefore had of course also started off with the iPhone and its IPSec client also configured to a PSK. When I reconfigured Racoon and pfSense to use Certificates I of course reconfigured the iPhone to match. I did not however delete the existing profile on the iPhone I merely modified it. This should have been fine, however it turns out the iPhone was still sending the Group Name to the IPSec server and this was certainly giving pfSense indegestion.

Note: I spotted this in the logs for StrongSwan, no entry in the Racoon logs suggested this. I had started to move on to testing StrongSwan since I had been unsuccessful with pfSense and Racoon.

Once I made a fresh profile on the iPhone I was then able to successfully make IPSec with certificate connections from the iPhone to pfSense. So that is the good news. Unfortunately I still have a problem.

I am wanting to route all traffic via the VPN connection, this works for IPSec with no certificates and is achieved by not ticking the option in pfSense to 'Provide a list of networks to clients'. If however with certificates I have this option unticked then the connection fails with the following errors in the log.

Feb 3 15:47:31  racoon: [Self]: INFO: respond new phase 2 negotiation: 81.x.x.12[500]<=>86.x.x.247[500]
Feb 3 15:47:31  racoon: ERROR: failed to get sainfo.
Feb 3 15:47:31  racoon: ERROR: failed to get sainfo.
Feb 3 15:47:31  racoon: [86.x.x.247] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).

With that option ticked it works fine but of course means that only traffic for the LAN gets routed via the VPN connection.

I did also notice that there maybe a Phase2 mismatch between the client and the server. The pfSense server is configured to use a virtual IP range of 10.0.1.0/24 for clients. However when the iPhone connects I get the following message in the log.

racoon: INFO: no policy found, try to generate the policy : 10.0.1.1/32[0] 192.168.16.0/24[0] proto=any dir=in

As you can see it is listing the policy as 10.0.1.1/32 and not as expected 10.0.1.1/24. Although from on point of view the fact that there will only be a single device at the client end makes a subnet mask of 32 logical. This does mean however that if I set the IPSec Tunnel proposal checking to anything other than Obey it fails due to a mis-match between the client and server ends. The full set of log entries for this type of failure looks like

Feb 3 15:58:41  racoon: [Self]: INFO: respond new phase 2 negotiation: 81.x.x.12[500]<=>86.x.x.247[500]
Feb 3 15:58:41  racoon: INFO: no policy found, try to generate the policy : 10.0.1.1/32[0] 192.168.16.0/24[0] proto=any dir=in
Feb 3 15:58:41  racoon: ERROR: pfs group mismatched: my:2 peer:0
Feb 3 15:58:41  racoon: ERROR: not matched
Feb 3 15:58:41  racoon: ERROR: no suitable policy found.
Feb 3 15:58:41  racoon: [86.x.x.247] ERROR: no proposal chosen [Check Phase 2 settings, algorithm].
Feb 3 15:58:41  racoon: [86.x.x.247] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).

There is of course no-way to configure this on the iPhone.

So I am now very close. I can do IPSec with PSK+Xauth for LDAP and route all traffic, I can do IPSec with RSA+Xauth for LDAP but cannot route all traffic.

Has anyone been able to do IPSec with RSA+Xauth and route all traffic with an iPhone?

Not currently, no.

That may change on 2.2.

If it is a remote firewall, why are you using mobile to connect? It should be a normal site-to-site tunnel, not mobile. That hasn't really been supported since 1.2.x and even then it didn't work well.

Use a normal tunnel + dyndns if the remote has a dynamic IP. Don't use mobile for site-to-site.

That is not currently possible if you go by IP address.

If you can track it with dyndns, and the DNS record changes when the far side IP changes, that would work.

It's not possible to put two peer IPs on the tunnel though so outbound failover wouldn't work that way either.

Hi,

if both boxes are identical maybe the environments are not.

How much CPU usage do you have at idle and while performing the speed test (on both sites)?

Given you never reach line speed I suspect you hit 100% CPU usage.

Your local subnet looks like 169.254.255.82/30.
Per RFC 3927 this is a link local address which is not routable.

Your remote subnet looks like 169.254.255.81/30.
This is again link local, and on the same subnet of the local address.

IPSec is supposed to connect two different subnets.

What is your local LAN?
What is your remote LAN (AWS)?

dimmon,

looks like your remote gateway and remote lan are on the same network (ie 216.200.x.0/24).
Another strange thing is the remote host you want to connect to is a public IP (216.200.x.5) which you could connect to directly without IPSEC.

I think your setup should be something like this

  local_lan  <-->  local_gw    pfsense  local_public_ip  <--> remote_public_ip  remote_router  remote_gw  <--> remote_lan 10.20.30.0/24      10.20.30.40            ?.?.?.?              216.200.x.1                    x.x.x.x        x.x.x.0/24

I am having a similar issue with an Ubuntu Machine.

A Network 10.10.1.0/24

B Network 10.10.2.0/24

C Network 10.10.3.0/24

I have setup an Ipsec VPN tunnel from A - B, and A - C (all pfsense Boxes)

I have an Ubuntu Server on A network. An ubuntu machine on B network.

When I ping/ssh from the Ubuntu machine on B to A network, i am getting a Host Unreachable/Destination Host Unreachable
The Ubuntu machine can resolve the host and Ip as is confirmed with a DIG -x command. The Ubuntu machine on B can ping the local pfsense router and anything local or internet based. But it cant ping anything on the A network including the A router. All other devices have no issue. Just this one ubuntu machine.

I have no issue with connectivity between the A and C networks.

If I run this command on the Ubuntu machine in B network

sysctl -w net.ipv4.ip_forward=1

I can ping/ssh from A <-> B.  The ubuntu machine has one NIC and two additional for a TAP monitoring system so they are set to

eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet addr:xx.xx.xx.xx  Bcast:xx.xx.xx.255  Mask:255.255.255.0
          inet6 addr: xxxx::xxx:xxxx:xxxx:xxxx/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:750659 errors:0 dropped:0 overruns:0 frame:0
          TX packets:460220 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:122675477 (122.6 MB)  TX bytes:409259079 (409.2 MB)
          Interrupt:19 Memory:f0180000-f01a0000

eth1      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          UP BROADCAST RUNNING NOARP PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:4857110 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1017130172 (1.0 GB)  TX bytes:0 (0.0 B)
          Interrupt:16 Memory:f0280000-f02a0000

eth2      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          UP BROADCAST NOARP PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:16 Memory:f0300000-f0320000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:554233 errors:0 dropped:0 overruns:0 frame:0
          TX packets:554233 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:783922279 (783.9 MB)  TX bytes:783922279 (783.9 MB)

route -n

Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
0.0.0.0        xx.xx.xx.xx      0.0.0.0        UG    100    0        0 eth0
xx.xx.xx.0      0.0.0.0        255.255.255.0  U    0      0        0 eth0
169.254.0.0    0.0.0.0        255.255.0.0    U    1000  0        0 eth0

So when the "sysctl -w net.ipv4.ip_forward=1" ping and ssh works but the traceroute doesnt seem as expected.
I dont understand how the machine is forwarding when only one NIC has an address?

PING xx.xx.xx.xx (xx.xx.xx.xx) 56(84) bytes of data.

From xx.xx.xx.xx: icmp_seq=1 Redirect Host(New nexthop: xx.xx.xx.xx)
64 bytes from xx.xx.xx.xx: icmp_req=1 ttl=63 time=46.8 ms

traceroute xx.xx.xx.xx  (Traceroute from SO Sensor to SO Server)

traceroute to xx.xx.xx.xx (xx.xx.xx.xx), 30 hops max, 60 byte packets
1  xx.xx.xx.xx (xx.xx.xx.xx)  0.545 ms  0.532 ms  0.519 ms
2  * * *
3  * * *
4  * * *
5  * * *
6  * * *
7  * * *
8  * * *
9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

There are no Blocks in IPTables and UFW is set to allow the connectivity.
If anyone has any suggestions, I would appreciate it as I've tried several things to fix this issue without success.