@adityaduggal Hi In your case, you need to look at the logs from the side of Sophos Mar 7 16:47:44 firewall charon[77898]: 06[NET] <con9000|214> received packet: from sophos_ip_address[500] to pf_sense_ip_address[500] (36 bytes) Mar 7 16:47:44 firewall charon[77898]: 06[ENC] <con9000|214> parsed IKE_SA_INIT response 0 [ N(NO_PROP) ] Mar 7 16:47:44 firewall charon[77898]: 06[IKE] <con9000|214> received NO_PROPOSAL_CHOSEN notify error The NO_PROPOSAL_CHOSEN error in phase 1 may be caused by Phase 1 Encryption Algorithm Mismatch or Phase 1 Hash Algorithm Mismatch or Phase 1 DH Group Mismatch https://docs.netgate.com/pfsense/en/latest/troubleshooting/ipsec.html

@jimp I applied the patch, verified that split_include was no longer in included in /var/etc/ipsec/swanctl.conf and connected the android VPN client. The Android IPSec client now connects successfully regardless of the Network List setting. Thanks.

@bingo600 said in PFSense 2.5 -> IPSec Widgets shows wrong state: Bingo Hi, yes, its a side2side or lan2lan configuration and its not so nicely shown in the Getaway widget.

@peterzy thanks..I saw it later of my post :|

@brians Fixed by replacing router. Not sure what happened with old one.

ipsec multi-point mutual access to solve. pf local subnet setting 0.0.0.0/0 Point A to the terminal network, add 192.168.4.0/24 and 192.168.2.0/24 Point B to the terminal network, add 192.168.3.0/24 and 192.168.2.0/24

Here's the ones from the post I believe you are thinking of. Just would hate to miss one, the one because they're all over the place. ead6515637a34ce6e170e2d2b0802e4fa1e63a00 #11435 57beb9ad8ca11703778fc483c7cba0f6770657ac #11435 10eb04259fd139c62e08df8de877b71fdd0eedc8 #11442 ded7970ba57a99767e08243103e55d8a58edfc35 #11486 afffe759c4fd19fe6b8311196f4b6d5e288ea4fb #11487 2fe5cc52bd881ed26723a81e0eed848fd505fba6 #11488 f731957f945af90d6a75f0e33f91a440a6a55736 #11526

https://redmine.pfsense.org/issues/11489

Can you try putting WireGuard back and disabling AES-NI temporarily to see if the crashes still occur?

@jimp Thanks Jim

https://redmine.pfsense.org/issues/11526

Both can coexist OK on 2.5.0/21.02, but something in your settings may be causing that. You need to provide a lot more information about your configuration, plus connection logs when it does/doesn't work to compare what happens. Typically that kind of thing happens when there is some overlap in the remote addresses on the tunnel or if the identifiers can't be matched. There are also a few known issues in 2.5.0 which could affect this, look at the other threads here in the IPsec category for a list of patches to try.

@viktor_g Thanks for the super fast response. Unfortunately no improvement, DNS servers still not pushed. If uncheck the "Provide a virtual IP address to clients" like the above workaround, the mobile pool is not loaded despite the patch.

Just as an update, this is working well now. However, when RDPing to computers we get a warning that the Revocation check for our cert couldn't be completed. So I created a CRL in pfSense, exported it and imported it to computers and the warning has gone away. However on the CRL page it shows an X for the 'In Use' column for the CRL. Do I need to force this on the IPsec Mobile Client VPN? OR does X indicate it is in-use?!!! Thanks again :)

I know it's an old topic, but specifically because it's old I am asking that you actually update the official Docs with these conclusions and replace the "Set Peer Identifier to User Distinguished name, enter an e-mail address style identifier (e.g. user@example.com) – This isn’t used, but is currently required by the GUI" with "Set to Any". I would do this myself, but you don't seem to be hosting the Docs on GitHub anymore. I spent some 2 hours today at my wits end trying to figure this out before I set the Local ID on my mac to "user@example.com" and got it working.