@thewaterbug Interesting. I have this working from macOS (10.14.6), but not from iOS 16. Here's the IPSec log after my Mac connects successfully: Nov 8 15:21:23 charon 1186 06[NET] <11> received packet: from my.mobile.ip.address[500] to my.public.gateway.address[500] (604 bytes) Nov 8 15:21:23 charon 1186 06[ENC] <11> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Nov 8 15:21:23 charon 1186 06[IKE] <11> my.mobile.ip.address is initiating an IKE_SA Nov 8 15:21:23 charon 1186 06[CFG] <11> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 Nov 8 15:21:24 charon 1186 06[IKE] <11> remote host is behind NAT Nov 8 15:21:24 charon 1186 06[IKE] <11> sending cert request for "CN=ACMERocketCarsCA, C=US, ST=California, L=San Francisco, O=ACME RocketCars" Nov 8 15:21:24 charon 1186 06[ENC] <11> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ] Nov 8 15:21:24 charon 1186 06[NET] <11> sending packet: from my.public.gateway.address[500] to my.mobile.ip.address[500] (481 bytes) Nov 8 15:21:24 charon 1186 06[NET] <11> received packet: from my.mobile.ip.address[51296] to my.public.gateway.address[4500] (528 bytes) Nov 8 15:21:24 charon 1186 06[ENC] <11> unknown attribute type INTERNAL_DNS_DOMAIN Nov 8 15:21:24 charon 1186 06[ENC] <11> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] Nov 8 15:21:24 charon 1186 06[CFG] <11> looking for peer configs matching my.public.gateway.address[ACMERocketCars.dyndns.org]...my.mobile.ip.address[192.168.0.213] Nov 8 15:21:24 charon 1186 06[CFG] <con-mobile|11> selected peer config 'con-mobile' Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> initiating EAP_IDENTITY method (id 0x00) Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> peer supports MOBIKE Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> authentication of 'ACMERocketCars.dyndns.org' (myself) with RSA signature successful Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> sending end entity cert "CN=ACMERocketCars.dyndns.org, C=US, ST=California, L=San Francisco, O=ACME RocketCars" Nov 8 15:21:24 charon 1186 06[ENC] <con-mobile|11> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] Nov 8 15:21:24 charon 1186 06[ENC] <con-mobile|11> splitting IKE message (1664 bytes) into 2 fragments Nov 8 15:21:24 charon 1186 06[ENC] <con-mobile|11> generating IKE_AUTH response 1 [ EF(1/2) ] Nov 8 15:21:24 charon 1186 06[ENC] <con-mobile|11> generating IKE_AUTH response 1 [ EF(2/2) ] Nov 8 15:21:24 charon 1186 06[NET] <con-mobile|11> sending packet: from my.public.gateway.address[4500] to my.mobile.ip.address[51296] (1236 bytes) Nov 8 15:21:24 charon 1186 06[NET] <con-mobile|11> sending packet: from my.public.gateway.address[4500] to my.mobile.ip.address[51296] (500 bytes) Nov 8 15:21:24 charon 1186 06[NET] <con-mobile|11> received packet: from my.mobile.ip.address[51296] to my.public.gateway.address[4500] (112 bytes) Nov 8 15:21:24 charon 1186 06[ENC] <con-mobile|11> parsed IKE_AUTH request 2 [ EAP/RES/ID ] Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> received EAP identity 'user@domain.com' Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> initiating EAP_MSCHAPV2 method (id 0xE8) Nov 8 15:21:24 charon 1186 06[ENC] <con-mobile|11> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] Nov 8 15:21:24 charon 1186 06[NET] <con-mobile|11> sending packet: from my.public.gateway.address[4500] to my.mobile.ip.address[51296] (112 bytes) Nov 8 15:21:24 charon 1186 06[NET] <con-mobile|11> received packet: from my.mobile.ip.address[51296] to my.public.gateway.address[4500] (160 bytes) Nov 8 15:21:24 charon 1186 06[ENC] <con-mobile|11> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ] Nov 8 15:21:24 charon 1186 06[ENC] <con-mobile|11> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ] Nov 8 15:21:24 charon 1186 06[NET] <con-mobile|11> sending packet: from my.public.gateway.address[4500] to my.mobile.ip.address[51296] (144 bytes) Nov 8 15:21:24 charon 1186 06[NET] <con-mobile|11> received packet: from my.mobile.ip.address[51296] to my.public.gateway.address[4500] (80 bytes) Nov 8 15:21:24 charon 1186 06[ENC] <con-mobile|11> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ] Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> EAP method EAP_MSCHAPV2 succeeded, MSK established Nov 8 15:21:24 charon 1186 06[ENC] <con-mobile|11> generating IKE_AUTH response 4 [ EAP/SUCC ] Nov 8 15:21:24 charon 1186 06[NET] <con-mobile|11> sending packet: from my.public.gateway.address[4500] to my.mobile.ip.address[51296] (80 bytes) Nov 8 15:21:24 charon 1186 06[NET] <con-mobile|11> received packet: from my.mobile.ip.address[51296] to my.public.gateway.address[4500] (112 bytes) Nov 8 15:21:24 charon 1186 06[ENC] <con-mobile|11> parsed IKE_AUTH request 5 [ AUTH ] Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> authentication of '192.168.0.213' with EAP successful Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> authentication of 'ACMERocketCars.dyndns.org' (myself) with EAP Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> IKE_SA con-mobile[11] established between my.public.gateway.address[ACMERocketCars.dyndns.org]...my.mobile.ip.address[192.168.0.213] Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> scheduling rekeying in 23424s Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> maximum IKE_SA lifetime 26304s Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> peer requested virtual IP %any Nov 8 15:21:24 charon 1186 06[CFG] <con-mobile|11> reassigning offline lease to 'user@domain.com' Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> assigning virtual IP 192.168.202.1 to peer 'user@domain.com' Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> peer requested virtual IP %any6 Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> no virtual IP found for %any6 requested by 'user@domain.com' Nov 8 15:21:24 charon 1186 06[CFG] <con-mobile|11> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ Nov 8 15:21:24 charon 1186 06[IKE] <con-mobile|11> CHILD_SA con-mobile{2} established with SPIs cdbc8d8f_i 0e359038_o and TS 192.168.200.0/24|/0 === 192.168.202.1/32|/0 Nov 8 15:21:24 charon 1186 06[ENC] <con-mobile|11> generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS SUBNET (27674) (27675)) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ] Nov 8 15:21:24 charon 1186 06[NET] <con-mobile|11> sending packet: from my.public.gateway.address[4500] to my.mobile.ip.address[51296] (352 bytes)

@viragomann You're a gentleman and a scholar! Thanks so much

@fazevedo How would that be any different than the actual IP address? You don't have to tell anyone what the domain name you chose is. There's literally no security concern any different than having a public IP.

Enabling Split connections on Phase 1 solved it.

@viragomann++ Thanks for your reply. You where right, I was missing firewall rules Site A (intermediate hop) Now I've the hop tunnel working. Thanks again.

Aaaannnndd it started working, somehow. I played a little with "Rekey Time" and " Reauth Time" but didn't get the results I expected, so I disabled them (which is what I had before). But somehow, icmp translation started to work. Now it works but I don't know why..... :-P Tks. Roberto

@johnpoz Thanks for the reply. I think I've done that, i've also added it to the LAN and IPsec section for good measure. [image: 1665643833597-9c297238-893b-4bf2-9ccf-7f8a6c17a83d-image.png] [image: 1665643844292-eaeb2008-15cf-4338-b279-787330cc6462-image.png] [image: 1665643850924-89ec900d-fe2a-4896-8a41-35813600e913-image.png] And still I get the following in the IPsec log: [image: 1665644055797-a21db9c7-c0b4-4ec2-96d6-b785f499734b-image.png] I've blacked out my IP. Thanks Jacob

@thewaterbug said in Win10 IKEv2 Connects, but No Network Access: @keyser Thanks! Does putting the config file in the /conf/ folder work for all pfsense installs? It didn't work for me. My problem may have been that I didn't rename the config file. I just put it in there with its full filename, e.g.: config-hostname.domain.tld-20221007121918.xml After doing some reading, I renamed it as just config.xml. I didn't know whether to put it at the root or at /conf/, so I put it in both, and it worked this time.

I have fixed it for now. The Current tunnel configurations was setup as IKEv1. I have converted both sides of the tunnels to IKEv2 and I can now see all the SA's on the PFSENSE SIDE and they match the networks on the Fortigate Side. I am able to pass traffic on my 2 test networks. I will add more networks on Monday....If I can pass traffic on all 14 of the networks ....then I am good. if not, IKEv2 on the PFSENSE Side provided the Ability to split connections. You can read more about split connections in this document. https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configure-p1.html#advanced-options Thank You

@thewaterbug Fixed: Add-VpnConnectionRoute -ConnectionName "PI-IKEV2-VPN" -DestinationPrefix 192.168.0.0/24 -PassThru with the Use Default Gateway . . . unchecked.