It's normal to see extra copies in there depending on how the negotiation/rekey happened. As long as your traffic is flowing and the tunnel rekeys when needed and keeps going, it's not worth worrying about.

Solved,
cause was a false configured policy at the Fortigate. In the policies for (incoming/outgoing) traffic the "NAT" switch was enabled. Why the fortigate choose the ip-adress of the DMZ interface instead the ip of the WAN interface is a mystery to me. So i was wrong when i said i don't have a Network with the IP 192.168.31.9. This IP was configured for an older test scenario but not used anymore and even the interface was not connected.

For anyone who is interested (n00b here), i got it to work (branch to pfsense only):

Phase 1 remote subnet on pfsense has to be 0.0.0.0 with responder only option checked.

on Huawei Side, the following command had to be configured:

the result is:

22accdc1-de10-456f-beb1-06c813df2382-image.png

The problem now is that pfsense does not direct traffic with destination to remote subnet (i.e. 10.2.20.0) through IPSec, it uses WAN0 for that. any ideas?

[update] working now, was pinging from the wrong device.

You might also consider establishing a couple of hubs so you have redundancy and connect all other sites to both of those.

A full mesh really does not scale well.

Each side should initiate when there is traffic matching the traffic selector.

In many cases you can make this happen by setting an automatically ping host to something on the other side in each P2. (it just has to match the remote network - it doesn't actually have to respond to ping).

Tunnels generally come up very quickly and the fact that the tunnel was not actually up when the traffic is initiated is not noticed by users or applications.

@Derelict
doh
Thanks a lot ... that was it ;)

Thanks

Probably firewalls (think windows firewall) local on the hosts you are trying to ping. Or Anti-virus, endpoint protection, or some other software on the target host itself.

@chonkat Status >>> System Logs >>> VPN >>> L2TP Logins
Is that what you are looking for?

And probably about time to ask on the D-Link forums instead of here.

@sepp_huber said in Schedules for IPSec tunnels:

There is no feature to disable it, it must be deleted to stop billing ... and if you create it again you get a new configuration, not very cost efficient...

That's why many people put pfSense in AWS and IPsec to that.

In case the change is not working, do we need to add an another change or bug request somewhere? Because the idea and feature is quite useful.

The looks like the ethernet LAN on the client.

You can ping from the pfSense GUI if one of the firewall interfaces is an interesting source for the traffic selector.

For instance, if the pfSense LAN network is a local network in IPsec you just need to select LAN as the Source address in Diagnostics > Ping. It sets the -S flag to the ping command.

I have an IPSEC tunnel set up. I even went and set up bidirectional rules for IPSEC. The problem I am having is that when I ping my host, in my VPC, it send that ICMP traffic to my LAN interface and not the IPSEC interface as it is should have (per the policy based rules). I had several peers overlook my rules and all said it should work.

you can have multiple tunnel configured, i don't see why not

I thought so, there have to be installations with many SAs.
But who really knows. I transferred the settings to an alternative firewall and the tunnel was established immediately and the routing worked. I will try to reconstruct the problem and post the logs

That's it!

It's the most important part of the whole Tutorial, which got lost just between the lines :/

In my case I had to enter "Rocky*** Certificate Authority".

Bildschirmfoto 2019-07-23 um 19.16.46.png

@Konstanti: Thank you sooo much for your help! And I'm so sorry for asking such stupid questions :/

At least I know another possible way, I can setup my ikev2 without having to setup profiles 😓

Marti

nothing just these log i can't understand why... it on a brand new hardware dell

From IPSEC LOG
Jul 22 08:56:31 charon 11[IKE] <con3000|563> nothing to initiate
Jul 22 08:56:31 charon 11[IKE] <con3000|563> activating new tasks
Jul 22 08:56:31 charon 11[NET] <con3000|563> sending packet: from 100.19.77.74[500] to 216.164.171.58[500] (108 bytes)
Jul 22 08:56:31 charon 11[ENC] <con3000|563> generating INFORMATIONAL_V1 request 3146799562 [ HASH N(DPD_ACK) ]
Jul 22 08:56:31 charon 11[IKE] <con3000|563> activating ISAKMP_DPD task
Jul 22 08:56:31 charon 11[IKE] <con3000|563> activating new tasks
Jul 22 08:56:31 charon 11[IKE] <con3000|563> queueing ISAKMP_DPD task
Jul 22 08:56:31 charon 11[ENC] <con3000|563> parsed INFORMATIONAL_V1 request 1238973164 [ HASH N(DPD) ]
Jul 22 08:56:31 charon 11[NET] <con3000|563> received packet: from 216.164.171.58[500] to 100.19.77.74[500] (108 bytes)
Jul 22 08:56:31 charon 11[MGR] IKE_SA con3000[563] successfully checked out
Jul 22 08:56:31 charon 11[MGR] checkout IKEv1 SA by message with SPIs 9d5e1f8e6adf1cbe_i e26f984e1fc164ba_r
Jul 22 08:56:23 charon 11[MGR] <con1000|559> checkin of IKE_SA successful
Jul 22 08:56:23 charon 11[MGR] <con1000|559> checkin IKE_SA con1000[559]
Jul 22 08:56:23 charon 11[MGR] IKE_SA con1000[559] successfully checked out
Jul 22 08:56:23 charon 11[MGR] checkout IKEv1 SA with SPIs 68e88993f39f80e4_i c2379c57f6bf9e70_r
Jul 22 08:56:22 charon 11[MGR] <con3000|563> checkin of IKE_SA successful
Jul 22 08:56:22 charon 11[MGR] <con3000|563> checkin IKE_SA con3000[563]
Jul 22 08:56:22 charon 11[IKE] <con3000|563> nothing to initiate
Jul 22 08:56:22 charon 11[IKE] <con3000|563> activating new tasks
Jul 22 08:56:22 charon 11[ENC] <con3000|563> parsed INFORMATIONAL_V1 request 3928395168 [ HASH N(DPD_ACK) ]
Jul 22 08:56:22 charon 11[NET] <con3000|563> received packet: from 216.164.171.58[500] to 100.19.77.74[500] (108 bytes)
Jul 22 08:56:22 charon 11[MGR] IKE_SA con3000[563] successfully checked out

From System log
Jul 22 08:00:07 check_reload_status Reloading filter
Jul 22 04:00:24 php [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
Jul 22 05:00:04 php [pfBlockerNG] Starting cron process.
Jul 22 05:00:04 php /usr/local/www/pfblockerng/pfblockerng.php: The command '/sbin/ifconfig 'igb0' delete '172.16.0.1'' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address'
Jul 22 09:00:04 check_reload_status Reloading filter
Jul 22 05:00:37 php [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
Jul 22 06:00:03 php [pfBlockerNG] Starting cron process.
Jul 22 06:00:03 php /usr/local/www/pfblockerng/pfblockerng.php: The command '/sbin/ifconfig 'igb0' delete '172.16.0.1'' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address'
Jul 22 10:00:03 check_reload_status Reloading filter
Jul 22 06:01:09 php [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
Jul 22 06:14:21 ix-pfsense.inolex.local nginx: 2019/07/22 06:14:21 [error] 9680#100494: *154050 "/usr/local/www/english/index.php" is not found (2: No such file or directory), client: 185.114.76.44, server: , request: "GET http://www.rfa.org/english/ HTTP/1.1", host: "www.rfa.org"
Jul 22 07:00:07 php [pfBlockerNG] Starting cron process.
Jul 22 07:00:07 php /usr/local/www/pfblockerng/pfblockerng.php: The command '/sbin/ifconfig 'igb0' delete '172.16.0.1'' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address'
Jul 22 11:00:07 check_reload_status Reloading filter
Jul 22 07:05:06 php [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
Jul 22 07:31:31 kernel arp: 192.168.100.80 moved from 00:11:32:6b:64:26 to 00:11:32:6b:64:25 on igb0
Jul 22 07:31:33 kernel arp: 192.168.100.80 moved from 00:11:32:6b:64:25 to 00:11:32:6b:64:26 on igb0
Jul 22 08:00:03 php [pfBlockerNG] Starting cron process.
Jul 22 08:00:03 php /usr/local/www/pfblockerng/pfblockerng.php: The command '/sbin/ifconfig 'igb0' delete '172.16.0.1'' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address'
Jul 22 12:00:03 check_reload_status Reloading filter
Jul 22 08:00:20 php [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
Jul 22 08:25:22 kernel arp: 192.168.100.80 moved from 00:11:32:6b:64:26 to 00:11:32:6b:64:25 on igb0
Jul 22 08:25:24 kernel arp: 192.168.100.80 moved from 00:11:32:6b:64:25 to 00:11:32:6b:64:26 on igb0
Jul 22 08:34:18 kernel arp: 192.168.100.80 moved from 00:11:32:6b:64:26 to 00:11:32:6b:64:25 on igb0
Jul 22 08:34:20 kernel arp: 192.168.100.80 moved from 00:11:32:6b:64:25 to 00:11:32:6b:64:26 on igb0
Jul 22 08:44:24 kernel arp: 192.168.100.80 moved from 00:11:32:6b:64:26 to 00:11:32:6b:64:25 on igb0
Jul 22 08:44:26 kernel arp: 192.168.100.80 moved from 00:11:32:6b:64:25 to 00:11:32:6b:64:26 on igb0
Jul 22 12:57:31 php-fpm /status_logs.php: Successful login for user 'admin' from: 192.168.102.247 (Local Database)
Jul 22 09:00:03 php [pfBlockerNG] Starting cron process.
Jul 22 09:00:03 php /usr/local/www/pfblockerng/pfblockerng.php: The command '/sbin/ifconfig 'igb0' delete '172.16.0.1'' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address'
Jul 22 13:00:03 check_reload_status Reloading filter

The IPSec setup is explained well and detailed in the docs: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-a-site-to-site-ipsec-vpn.html

In short, assuming you have
Site1 with LAN: 10.10.1.0/24

Site2 with LAN: 10.11.1.0/24

So set the phase 2 at site 1:
Local Network: 10.10.1.0/24
Remote Network: 10.11.1.0/24

At site 2 set the phase 2 the other way round:
Local Network: 10.11.1.0/24
Remote Network: 10.10.1.0/24

do you have snort active?

For me things like this are always realted to IDS