@jimp Thank you!

@marcquark Thanks! It'll probably be a day or two before I can get over to the far side to try this but I'll let you know how it goes.

@froussy I have this kind of problem when PHP is eating all CPU on my pfSense (check my post). Is your CPU load ok when you have problems?

@trs_91 I've been running into the same issue. I haven't had time to troubleshoot it really (my workaround is to RDP into a local server then jump over the site to site from there) but I'm interested to see where this thread goes.

Hi,
do you need any other information ?
Thanks.

I restarted the unit. The GUI reports "configuring IPSEC VPN.." and it took a lot of MINUTES to complete it...

Connected via SSH during boot I see php-fm + php-cgi working a lot

I set the Ike to V2 now.

There is no traffic yet. i have to check if this is running before i can proceed fight with the firewall and the routing i think....
but the child SAs tell me always the first 2 available connections that are enabled. and no matter which one.

this time it shows only one, maybe the 2nd server on the other side is switched off

i cleand the ip address out because its a public IP

con1000:
#236 192.168.33.61/32
Local: cd989838
Remote: 60c4ba15 xxx.xxx.xxx.xxx/32
Rekey: 2542 seconds (00:42:22)
Life: 3472 seconds (00:57:52)
Install: 128 seconds (00:02:08) AES_CBC
HMAC_SHA1_96
IPComp: none Bytes-In: 0 (0 B)
Packets-In: 0
Bytes-Out: 0 (0 B)
Packets-Out: 0

when i disable this first two entries it shows me ( again i cleaned addresses out for being public, this time all )

con1000:
#238 xxx.xxx.xxx.xxx/32
Local: c144a229
Remote: 549b87ca xxx.xxx.xxx.xxx/32
xxx.xxx.xxx.xxx/32
Rekey: 2892 seconds (00:48:12)
Life: 3595 seconds (00:59:55)
Install: 5 seconds (00:00:05) AES_CBC
HMAC_SHA1_96
IPComp: none Bytes-In: 0 (0 B)
Packets-In: 0
Bytes-Out: 0 (0 B)
Packets-Out: 0

of course the remote addresses are different ones from the one before

Pfsense settings
Internet Protocol: IPv4
Interface: WAN
Authentication method: Mutual PSK
Negotiation mode: Main
My identifier: x.x133.66
Peer identifier: x.x96.242
Pre-Shared Key:
Policy Generation: Default
Proposal Checking: Default
Encryption algorithm :AES 256bits
Hash algorithm: SHA
DH key group: 5
Lifetime: 28800
NAT Traversal: Disable
Dead Peer Detection
Enable: 10 seconds, 5 retries

You appear to be editing a mobile IPsec tunnel. That's not the same as what you're reading in the docs.

For site-to-site tunnels, yes, Mutual PSK will show that field and button. For mobile IPsec, each user has their own key, so you add them on the Pre-Shared Keys tab.

@gribfk

1 show the phase-2 settings
2 show the output of the command ipsec statusall after the IPSEC
connection is established
3 show the firewall rules on the VLAN10 interface
4 show the output of the command tcpdump -netti enc0 when
trying to access the 172.16.0.0/16 network

Shameless bump...

Any ideas very much welcome. It's odd that the same config works fine elsewhere. It's not the encryption engine as I can do 300Mbit between sites LAN to LAN. It's only when WAN is involved.

Thanks,

James