https://redmine.pfsense.org/issues/12645

@konstanti These are the rules. I'm using port 1600 for the GUI. Is there anything wrong? In IPsec I have added the VPN network of 10.3.200.0/24 [image: 1654013921185-ipsecrule.png] [image: 1654013928383-fwrules.png]

@amrogers3 Yes, I have IPSec working just fine with Windows 7 -> 10, MacOS, iPhone and Android phones all on the same Mobile IPsec setup on a pfSense. Mind you though - i believe I remeber there were some issues that you had to be very carefull about on 2.4.5 because it was less than capable of supporting the lastest standards. I would strongly recommend you upgrade to 2.6 and implement your IPsec as a IKEv2 setup. Works beautifully with all the clients, and the only major drawback is in enterprise size networks because Netgate has not implemented named IP pools to assign clients to with Radius returned class info. So all clients are treated the same because you cant separate them by IP unless you create static IP return rules pr. User from radius.

@keyser Just bumping this thread out of Interest. Does anyone know if making IPsec Road warrior “usable” in larger corporations is actually on the roadmap from Netgate, or will it just be stranded at “one pool, one ruleset for all VPN users” going forward? The Framed-IP-Address is not a solution in larger networks due to the massive maintenance issues it brings.

@vicedriver i have the same issue on 2.6 dynamic dns client, is not updating no-ip record and the vpn clients cannot connect. The workaround is i have configure this pfsense as vpn client, so it can connect to my static ip pfsense and gain routing to itts interface. After that, i press the button save & force update to renew. [image: 1653308046424-faf4bf3a-259d-44ea-a93e-145e35feb95f-image.png]

Appeared to be a states clearing issue. Please, disregard

Upgrade to a more recent supported release. That was fixed a long time ago.

I want to make tunneel between pfsense and vps, I have no idea how to do that. Kindly help

@ivan0 Any support about the request above?

Hello Team, Can you please help us on above issue? Thank You

We've enountered a lot of Issues with VPN on iOS devices. A core-point is Apple's DNS-Privacy: When connected to a wifi, apple by default is ignoring the assigned dns servers (and therefore any dns assigned by the tunnel) and instead is using the apple cloud dns, "to protect your privacy" (at least that's the reason they claim) You can set the dns-server for a particular wifi to manual to resolve this. Just becomes very unhandy, if you have hundrets of clients dealing with that "feature". Your observation about the IPV6 / IPV4 difference might be the problem: Your iPhones provider is using IPV6, and your ipv4-connection is then only an ipv4 over ipv6 tunnel (In our country referred to as "Dual-Stack-Lite / DS-Lite"). Here you'll have limits on the usable ports - depending on the provider. He might have decided, that a common user needs to use port 80 and 443, therefore created the proper rules for that, but everything else well not be forwarded. (Your Phone would be the router here, IPV4 only over nat'd IPV6) [image: 1651479875878-8ac39221-c653-4377-8ab2-11c2e88ca251-image.png] Your best option here would be to make your vpn-server ipv6 capable , OR (that's what we did): Use Port 143 - that's IMAPS - nobody is using imap nowadays, but that port is most likely served by your isp.

@paul1923 Freeradius and framed-ip addresses will enable you to do this per user. https://forum.netgate.com/topic/115795/guide-ikev2-ipsec-per-user-firewall-rule-settings-with-freeradius

@ofloo Thanks. couple of small points: your shebang is for bash -- did you install bash on your firewall? (pfSense does not come with bash) you could use pkill -F /var/run/charon.pid which is more concise and doesn't need the cat wouldn't you need to tail -n10 etc to be sure you weren't just reading the same "trap not found" message over and over in a loop? you don't need the extra if-test and pipe to wc, you can test the result code from grep directly maybe something like this would work? (I have not tested this) #!/bin/sh if tail -n10 /var/log/ipsec.log | /usr/bin/grep -q "trap not found, unable to acquire reqid"; then pkill -9 -F cat /var/run/charon.pid echo "Executed Charon kill script, IPsec seems locked up" fi exit 0