Did you try Child SA Close Action: Restart/Reconnect for the Tunnel Configuration at Site B?

Ok. Thank you for the effort.

This will be much improved on the next release: https://forum.netgate.com/post/994704 https://forum.netgate.com/topic/165510/heads-up-ipsec-changes?_=1627666555213

Sounds like what you want is "Split connections" in the P1 options. IKEv1 is always split -- each P2 gets its own separate configuration IKEv2 can combine traffic selectors and does so by default, so all your P2 configurations get lumped into a single configuration entry. This is more efficient and flexible, since it only needs to maintain one child SA for all traffic, but some other devices/services don't like it for various reasons. If you are using IKEv2 and check "Split Connections" then it creates a separate configuration for each P2 so they will be independent.

FYI someone linked a similar issue described here: https://www.reddit.com/r/AZURE/comments/osp4n3/i_can_no_longer_connect_to_some_of_the_nodes_over/

Check the logs on the far side. It would seem to indicate that your identifier doesn't match what the other side expects, but your side doesn't have any more than that to go on. Logs on the other side would be more specific.

@mrgizmo The point is that it only behaves like that if there is an active outbound NAT rule on LAN or if you're doing NAT in IPSec p 2. So if you're in doubt provide these settings.

@polka44 I'm not sure IPv4 will work behind CG-NAT but IPv6 should from what little I understand. IPsec Site-to-Site VPN Example with Certificate Authentication IPsec Site-to-Site VPN Example with Pre-Shared Keys Site to Site VPNs on pfSense

@shellbr There is another thread going on about this. Someone suggested a script. https://forum.netgate.com/post/992563

@cre8toruk There is no problem creating a separate site to site tunnel.

@froussy Hi, may be IPSEC (VTI) + OSPF/BGP???

@digitalcomposer So what is the problem with IPSEC and Crypto AES-GCM?? I try with WireGuard and the SITE TO SITE speed is 800Mbit/s and with IPSEC 23Mbit/s.

This post was flagged as spam so I can't edit out the redundant image, sorry.

@metisit A little late on this reply, but for anyone coming across this- that link concerns racoon and not strongswan.

@ralphandreas Hi we have the same problem with 2.5.2 it is not better.

@cybertivo did you ever get anywhere with this. I have some traffic passing but seems like traffic initiated from at&t end is where most of the problem lies. I thought static IPs would help, but no such luck so far. This same tunnel config was previously working when connected to cable modem.