It's not a fatal error, just annoying log spam. No way to suppress it currently.

Unlikely.
It would work as long as they were both using dyndns to give the other something to open a state to and the provider is not using source port randomisation. They probably are though.

Steve

@c-zaborowski 7 Years and four major versions later, this helped us soooo much.

Thank you Sir

@jimp Hi there, I updated to 2.5 and found that my site-to-site IPSEC VPN connections were broken. I found this thread and installed the aforementioned patches which fixed the VPN (including the Status->ipsec page) but the ipsec status widget still seems to be broken, i.e., they show connected on the Status->ipsec page but show as down on the Widget->Tunnels tab.

Thanks

I don't know why the VPN worked before the upgrade (sarcasm). The thing is, I added the rule in the target subnet (VPN assigns 162.168.10.0/24 for remote clients targeting in 192.168.1.0/24) to allow communication on ports 50, 51, 4500 and 1701 on 192.168 .1.0 / 24. This has definitely solved the problem.

@adityaduggal

Hi
In your case, you need to look at the logs from the side of Sophos

Mar 7 16:47:44 firewall charon[77898]: 06[NET] <con9000|214> received packet: from sophos_ip_address[500] to pf_sense_ip_address[500] (36 bytes) Mar 7 16:47:44 firewall charon[77898]: 06[ENC] <con9000|214> parsed IKE_SA_INIT response 0 [ N(NO_PROP) ] Mar 7 16:47:44 firewall charon[77898]: 06[IKE] <con9000|214> received NO_PROPOSAL_CHOSEN notify error

The NO_PROPOSAL_CHOSEN error in phase 1 may be caused by

Phase 1 Encryption Algorithm Mismatch
or Phase 1 Hash Algorithm Mismatch
or Phase 1 DH Group Mismatch

https://docs.netgate.com/pfsense/en/latest/troubleshooting/ipsec.html

@jimp I applied the patch, verified that split_include was no longer in included in /var/etc/ipsec/swanctl.conf and connected the android VPN client. The Android IPSec client now connects successfully regardless of the Network List setting. Thanks.

@bingo600 said in PFSense 2.5 -> IPSec Widgets shows wrong state:

Bingo

Hi,
yes, its a side2side or lan2lan configuration and its not so nicely shown in the Getaway widget.

@peterzy thanks..I saw it later of my post :|

@brians
Fixed by replacing router.
Not sure what happened with old one.

ipsec multi-point mutual access to solve.

pf local subnet setting 0.0.0.0/0

Point A to the terminal network, add 192.168.4.0/24 and 192.168.2.0/24

Point B to the terminal network, add 192.168.3.0/24 and 192.168.2.0/24

Here's the ones from the post I believe you are thinking of. Just would hate to miss one, the one because they're all over the place.
ead6515637a34ce6e170e2d2b0802e4fa1e63a00 #11435
57beb9ad8ca11703778fc483c7cba0f6770657ac #11435
10eb04259fd139c62e08df8de877b71fdd0eedc8 #11442
ded7970ba57a99767e08243103e55d8a58edfc35 #11486
afffe759c4fd19fe6b8311196f4b6d5e288ea4fb #11487
2fe5cc52bd881ed26723a81e0eed848fd505fba6 #11488
f731957f945af90d6a75f0e33f91a440a6a55736 #11526

https://redmine.pfsense.org/issues/11489

Can you try putting WireGuard back and disabling AES-NI temporarily to see if the crashes still occur?