@calical https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configure.html

recreated in a different order and now it works. first the phase2 without NAT and then the one with NAT. Topic can be closed

Hard to say what that crash may have been but probably hit a bug in strongSwan more than anything. It should be more stable on 23.05. Not only is it on a newer version of strongSwan, but the new version also fixes some locking issues that had sometimes caused charon to end up deadlocked.

@sunka said in Can't get IPSEC to connect, been trying for days.: May 22 18:29:01 martin-Legion-5-15IAH7H charon: 16[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] May 22 18:29:01 martin-Legion-5-15IAH7H charon: 16[IKE] received AUTHENTICATION_FAILED notify error This suggests that part of your handshaking is wrong. SSLs or keys or a mix of the two or whatever the config is.

@operaiter said in Portforwarding on WAN Interface via Site to Site IPsec: I did just double checked the rule. Furthermore I did setup a new rule with different traget and port. Still cant see outgoing traffic on pfSense interface. The only reasons for this apart from NAT and filter rules, I can think of, is that the tunnel is not working properly. Possibly the additional phase 2 is not correct or not accepted. Some IPSec implementations may reject this multiple phase 2 for the same or overlapping subnets. You can check out the log for hints due this.

Same story for me on pfSense+ 23.01. Tried everything until I came across this post, which amazingly works. My use case is to iOS 16.4.1.

@meluvalli For now, I ended up switching to WireGuard. I much prefer to use IPSec though. IPSec seems more stable of a connection. I really would like to get to the bottom of this :(

Seems this is a known limitation: https://forum.netgate.com/topic/118063/dhcp-relay-over-ipsec-vpn/16

I have solved the issue. The cause was on hoster's network and I had to manually add vpc routes to go via pfsense server for office networks CIDR. Also need to add that there was no such issue when we for example use openVPN since it masks the IP and in normal IPsec we have to know exactly where to send packages to. Thus some extra steps have to be done.

Figured it out - had to set a separate allow all Prefix List to each neighbour.

@scottself said in My IPSEC service hangs: https://redmine.pfsense.org/issues/13014 It says on the redmine where it will be implented. Plus Target Version: 23.05

Log entries on the pfSense, showing it's clearly getting the Ping response back; I'm just not sure how to find out what it's doing with it after that. I've removed a few repetetive entries but nothing that seems pertinent. May 4 14:57:21 charon 46137 16[JOB] got event, queuing job for execution May 4 14:57:21 charon 46137 16[JOB] next event in 88ms, waiting May 4 14:57:21 charon 46137 16[JOB] got event, queuing job for execution May 4 14:57:21 charon 46137 16[JOB] next event in 5s 890ms, waiting May 4 14:57:21 charon 46137 09[IKE] <con2|12> sending DPD request May 4 14:57:21 charon 46137 09[IKE] <con2|12> queueing IKE_DPD task May 4 14:57:21 charon 46137 09[IKE] <con2|12> activating new tasks May 4 14:57:21 charon 46137 09[IKE] <con2|12> activating IKE_DPD task May 4 14:57:21 charon 46137 16[JOB] next event in 5s 890ms, waiting May 4 14:57:21 charon 46137 09[ENC] <con2|12> order payloads in message May 4 14:57:21 charon 46137 09[ENC] <con2|12> generating INFORMATIONAL request 1585 [ ] May 4 14:57:21 charon 46137 09[ENC] <con2|12> generating payload of type HEADER May 4 14:57:21 charon 46137 09[ENC] <con2|12> generating ENCRYPTED payload finished May 4 14:57:21 charon 46137 09[NET] <con2|12> sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (80 bytes) May 4 14:57:21 charon 46137 04[NET] sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] May 4 14:57:21 charon 46137 16[JOB] next event in 3s 999ms, waiting May 4 14:57:21 charon 46137 02[NET] received packet => 80 bytes @ 0x7fffdfdfa5f0 May 4 14:57:21 charon 46137 02[NET] received packet: from Y.Y.Y.Y[500] to X.X.X.X[500] May 4 14:57:21 charon 46137 02[ENC] parsing header of message May 4 14:57:21 charon 46137 02[ENC] parsed a INFORMATIONAL response header May 4 14:57:21 charon 46137 02[NET] waiting for data on sockets May 4 14:57:21 charon 46137 09[NET] <con2|12> received packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (80 bytes) May 4 14:57:21 charon 46137 09[ENC] <con2|12> parsing body of message, first payload is ENCRYPTED May 4 14:57:21 charon 46137 09[ENC] <con2|12> starting parsing a ENCRYPTED payload May 4 14:57:21 charon 46137 09[ENC] <con2|12> parsing ENCRYPTED payload, 52 bytes left May 4 14:57:21 charon 46137 09[ENC] <con2|12> parsing ENCRYPTED payload finished May 4 14:57:21 charon 46137 09[ENC] <con2|12> verifying payload of type ENCRYPTED May 4 14:57:21 charon 46137 09[ENC] <con2|12> ENCRYPTED payload verified, adding to payload list May 4 14:57:21 charon 46137 09[ENC] <con2|12> ENCRYPTED payload found, stop parsing May 4 14:57:21 charon 46137 09[ENC] <con2|12> process payload of type ENCRYPTED May 4 14:57:21 charon 46137 09[ENC] <con2|12> found an encrypted payload May 4 14:57:21 charon 46137 09[ENC] <con2|12> parsed content of encrypted payload May 4 14:57:21 charon 46137 09[ENC] <con2|12> verifying message structure May 4 14:57:21 charon 46137 09[ENC] <con2|12> parsed INFORMATIONAL response 1585 [ ] May 4 14:57:21 charon 46137 09[IKE] <con2|12> activating new tasks May 4 14:57:21 charon 46137 09[IKE] <con2|12> nothing to initiate

@viragomann We got it sorted out.... on the main the tunnel to the 3rd party on the local network was using 1.0/24 and this needed to be 0.0/16

@realtebo This should work anyway. It only needs a properly configured p2 with a local subnet which includes an interface IP of pfSense.

Since this is basically my same problem. I setup a site to site VPN. Site 1 is a remote office. Site 2 is our DC with our domain controller and DNS servers. users at site 1 need to reach systems by DNS at site 2. I added a Domain Override to the DNS resolver in the pfsense firewall at site 1 with our domain and the DNS server at site 2 to send the queries to. When I did this the only thing that can be resolved by a DNS is my primary Domain controller. It happens to be a DNS server as well. I've tried adding the DNS servers at site 2 to the general setup DNS server list as well after the ISP DNS servers. at Site 2 I have a watchguard firewall. I looked at this as well https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/access-firewall-over-ipsec.html#ipsec-fwtraffic but I don't think this is relates since if I set the DNS server on a local machine to the IP of the DNS server at site 2 I can resolve everything at site 2. I'd like to just do this through the pfsense at site 1. I just put my domain DNS server as the primary DNS for the DHCP leases ( Services / DHCP Server / LAN) then google DNS, and then lastly our ISP DNS. Everything works as expected this way.