That seems to have done the trick. Thanks a lot!

More than likely it's a problem with the other end, not pfSense, though not sure what it might be exactly. Probably best to check the remote side status/logs to find out what it thinks is happening

I'm not aware of any list, but if you are using IKEv2, you are better off switching to Rekey instead of using Reauth+Make-before-break. On 2.4.x, uncheck Disable Rekey and check Disable Reauth. On 2.5.0, put the lifetime value in the rekey box and leave reauth empty.

You don't need "mschap multiotpmschap". Step 1: multiotp.php first line is wrong (#!/usr/bin/php -> #!/usr/local/bin/php). multiotp.php -> /usr/local/bin/multiotp/ Step 2: chmod +x /usr/local/bin/multiotp/multiotp.php Maybe change the Timezone: ./multiotp.php -config timezone=Europe/Zurich (Which is Standard) ./multiotp.php -create usernamehere tOTP 5dc0424b2e7922f3472a0f8429a80b12 1234 (this is a example) You can create the string (5dc0424b2e7922f3472a0f8429a80b12) on your Pfsense and you can just add the string (5dc0424b2e7922f3472a0f8429a80b12) in your app. Step 3: freeradius.inc -> /usr/local/pkg/ add (After "with_ntdomain_hack = yes") -> ntlm_auth = "/usr/local/bin/multiotp/multiotp.php %{User-Name} %{User-Password} -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}" Step 4: Restart Step 5: Try to connect again Edit: Error 98 = Authentication failed (wrong token length) -> 1234 + 6 digit Code form the app

Step 1: multiotp.php first line is wrong (#!/usr/bin/php -> #!/usr/local/bin/php). multiotp.php -> /usr/local/bin/multiotp/ Step 2: chmod +x /usr/local/bin/multiotp/multiotp.php Maybe change the Timezone: ./multiotp.php -config timezone=Europe/Zurich (Which is Standard) ./multiotp.php -create usernamehere tOTP 5dc0424b2e7922f3472a0f8429a80b12 1234 (this is a example) You can create the string (5dc0424b2e7922f3472a0f8429a80b12) on your Pfsense and you can just add the string (5dc0424b2e7922f3472a0f8429a80b12) in your app. Step 3: freeradius.inc -> /usr/local/pkg/ add (After "with_ntdomain_hack = yes") -> ntlm_auth = "/usr/local/bin/multiotp/multiotp.php %{User-Name} %{User-Password} -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}" Step 4: Restart Step 5: Not needed (other Infos) /etc/multiotp/ -> All Data you can find here failure_delayed_time -> 300 max_block_failures -> 6 max_delayed_failures -> 3 multiotp.ini -> /etc/multiotp/config/ change -> max_block_failures=-1 multiotp.php -> /usr/local/bin/multiotp/ change -> if ($this->GetUserErrorCounter() <= $this->GetMaxBlockFailures()) {

This might sound crazy but, in your OpenVPN settings under IPv4 Local network(s), there is a space between the comma and the 192.168.251.0/24. I would remove that space. I don't know if it will help, but the instructions do read "comma-separated" - no mention of spaces. Otherwise I don't see anything wrong with your setup, and I do have a similar setup here which works fine (the other end of my IPSec tunnel is an Azure VNet).

I THINK I have a similar setup as you do... On one location I have pfsense directly connected to the Internet, and the other site (my summer house) is using a 4G router which of course has it's own NAT. I am using a Dynamic DNS service for both locations (DynDNS and afraid). So on both ends I use the DNS name I have chosen for the respective Remote Gateways. But on the pfsense box (connected directly to the Internet) I set the peer identifier to the "internal WAN" of the other VPN server, not the public IP adress (or DNS). In my case I have the LAN side of the 4G router set to 192.168.3.1 and the WAN it provides the ER-X is 192.168.3.10. So I select IP adress for peer identifier in pfsense and type in 192.168.3.10. That's all there is to it...

https://redmine.pfsense.org/issues/9767#note-1

Any ideas here? Thank you!

@Konstanti I'll see what I can do.

Unfortunately it doesn't look like strongSwan will log the ID type. Not sure why, seems like it would be rather useful. Since the fortigate is manually specifying an ID of an unknown type you might have better luck using a "Key ID" string or "User Distinguished Name" type. Put a custom string in the FortiGate side, like "fortigatevpn" and then put the same string on pfSense in the Peer identifier using one of the types I mentioned. strongSwan will automatically use the type most appropriate for the given string in most cases, but if the far side is deliberately using the "wrong" type for values in that field, it might be difficult to force a match using a string which should be a specific (different) type.

Debug 1: Due to the cloud default VPC setup, the default route of the backend hosts are not set to the pfsense gateway. I am able to ping any hosts behind the gateway after setting the correct default route, and vice versa. However, any other services doesn't seem to work correctly. For example, ssh took more than a minute to see the prompt for checking the remote host key, and another minute to prompt for the password. It is definitely not normal to wait for minutes for the ssh password prompt, although ping responded normally. It even connected, but as if it is in slow motion, even worst than an old PBX 128k baud modem rate! I am checking at the firewall rules closely for any other hints, but if firewall is blocking, I shouldn't be able to connect at all? Or is this still routing issue, e.g. the packet is routed all incorrectly?

Ok thx, anybody knows where to configure the P2 entries in a LANCOM Router?

There are no limits on IPsec tunnels imposed by pfSense.

I found the reason why the routing was problematic. My local network is on the network range 10.0.0.0/24. I've created an account for a coworker, his local network range is 192.168.0.0/24. He doesn't need to add routes and he can connect to any server on the other side of the tunnel. The virtual ip pool is set to 192.168.10.0/27. Which can be set VPN -> IPSec -> Mobile Clients -> Virtual Address Pool I've made a workaround: created a bash script: #!/bin/bash vpn_lanip=`netstat -rn|awk '/192.168.10/{print $2}'|head -1` if [[ $vpn_lanip != "" ]]; then route delete -net 10.0.0.0/24 $vpn_lanip route add -net 10.0.0.0/24 $vpn_lanip fi Then created a plist file: /Library/LaunchDaemons/network.watcher.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>network.watcher</string> <key>ProgramArguments</key> <array> <string>/bin/bash</string> <string>/Users/arno/routes.sh</string> </array> <key>WatchPaths</key> <array> <string>/Library/Preferences/SystemConfiguration</string> </array> </dict> </plist> Then activated the network watcher daemon, that performs actions if network changes are detected. sudo launchctl load /Library/LaunchDaemons/network.watcher.plist There is a slight delay for the route propagation of about 10 seconds, but it works for me.

@johnpoz said in How do i revoke a user certificate from PFSense?: when do users get a cert in ipsec? Don't they just use the KEY ID as their username? Never setup ipsec with such login before. I am not really sure what you mean. I create a user certificate using the CA manager within pfsense. The manager points to my own Microsoft CA server. I install that user + root certificate onto my Phone and create an IKEv2 EAP-TLS (certificate) profile within StrongSwan. And normally when i delete the user certificate i cannot connect anymore. With this pfsense installation i am still able to connect. (Delete / Revoke has got the same end result)