pfSense version is: 2.4.5-RELEASE-p1 (amd64)

@derelict Someone is, however :)

@jimp Right now I’m using a LastPass generated password 16 charachter and just saving the credentials . Just abit concerned about this approach as it’s just 1fa , I’m saving the password and the vpn gives full access to my network Also, what does using certificates protect against ? Not sure on how it enhances security

@sgnoc Cool Great that my brainstorming was of help /Bingo

After even more investigation: Seams like the rules from WAN to pfSense where in place and effective. But what was missing: An allow rule from IPSec to the LAN. Is this "works as designed"? Even the DNS (the pfSense itself) was not reachable...

Everything is explained. Thank you for your answers!

@jimp said in IPSec mobile without certificate: There is an ACME package in pfSense, works great for me and many others. YMMV depending on your update method, though. Great! I just tested, it works! thank you Do I have to configure an "Action" in the ACME service so that it restarts IPSec server when renewing the certificate to take the new certificat or does it happen automatically without restart?

@reschi1 Regarding the NAT/BINAT configuration in the phase #2 I found this one: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/phase-2-nat.html I think this is what matches my case: NAT - Overload/PAT Style If the Local Network is a subnet, but the NAT/BINAT Translation address is set to a single IP address, then a 1:many NAT (PAT) translation is set up that works like an outbound NAT rule on WAN. All outbound traffic will be translated from the local network to the single IP address in the NAT field. I think that my phase #2 configuration I posted above is clearly non-sense, isn't it? I'm talking about the translation configuration: Local Network: Address 123.231.231.227 NAT/BINAT translation: Address 123.231.231.227 To me it would be logical to configure it this way: Local Network: Network LAN subnet NAT/BINAT translation: Address 123.231.231.227 Reconfigured it accordingly, but still no traffic. Leaves the previous question: Do I have to configure additional NAT settings apart from the phase #2 NAT/BINAT configuration? What is more: I found this one https://forum.netgate.com/topic/140873/solved-inbound-traffic-with-nat-binat-translation-via-ipsec where it is claimed that not the site using a single IP address but the partner site has to configure NAT/BINAT settings. Now I'm rather confused.

@mrmaus Hi I abandon that project and shut down the openvpn in pfsense and will look for away to remove them, all of the vpn reference in pfsense(hahahah), What I did instead was to build a stand alone openvpn server that sits behind the pfsense and behind a proxy server, so far so good I would even say working a lot better than when the openvpn on pfsense was working and for sure better that the ipsec that I was trying to get working. If you can you may want to look into setting up a stand alone Openvpn server. Later B1 always

Has anyone figured out the issue? I can't get any documentation on how to correctly set a IPSec VPN between Pfsense and Checkpoint, it's like searching through the Bermuda triangle. Any help or pointers would be much appreciated...