do you have snort active?

For me things like this are always realted to IDS

After reading a Book about VPN if understood subnetting with an Ipsec VPN and found the solution:

Phase 2 must be configured like this:

Phase2
Local Network - LAN Network
NAT / BINAT 10.4.11.120 /30
Remote Network - 13.141.121.201

Just like you did for the route to 10.94.37.95/32 except on the other side of the tunnel and for 10.1.100.100.

@Abbys: luckily I still have the netstat output from the time the link was down:

[2.4.4-RELEASE][admin@fw1.int.example.net]/root: netstat -rn | grep 169.254.22 169.254.22.149 link#27 UH ipsec500 169.254.22.150 link#27 UHS lo0

It's exactly the same now that the tunnel is up - except BGP has also installed a route to our AWS address space (10.30/16)

[2.4.4-RELEASE][admin@fw1.int.example.net]/root: netstat -rn | grep 169.254.22 10.30.0.0/16 169.254.22.149 UG1 ipsec500 169.254.22.149 link#27 UH ipsec500 169.254.22.150 link#27 UHS lo0

(The interface is actually ipsec5000, it's just been truncated in netstat output)

Just define a phase 2 for each of your C/D/E/F networks on the A-B tunnel (the networks are local networks for B and remote for A).

@cyberfinn
No
See the documentation about the section config setup

https://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf
https://wiki.strongswan.org/projects/strongswan/wiki/ConfigSetupSection

Sorry for the late reply... You are our hero!
I feel kind of stupid, as we did not tested it like this.

Best wishes,
Yannick

https://redmine.pfsense.org/projects/pfsense/repository/revisions/f15fdef37ff7c1fcaecc73f2927ba1d7775032b0/diff

It was WAN before. So no reason to change for me.

IKEv2 works for Windows (Powershell Commands needed + Regedit change), android (Strongswan app) and iOS (Apple Configurator 2).

It will reconnect when there is interesting traffic.

It is generally imperceptible to the user.

The IPsec logs will say exactly what is happening. Don't just change things unless the logs indicate what the problem is and whatever you change is related to that.

https://docs.netgate.com/pfsense/en/latest/book/ipsec/ipsec-troubleshooting.html

@Derelict Thanks for your help.

The tunnel also didn't route IPv6 over itself, even though I had IPv4 & IPv6 P2s defined. Again, from the commandline I did this on one side:

ifconfig ipsec1000 inet6 2600:3c01:e000:31e::2 prefixlen 112

and this on the other:

ifconfig ipsec1000 inet6 2600:3c01:e000:31e::1 prefixlen 112

Giving me this:

ipsec1000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
tunnel inet 96.126.96.153 --> 73.140.16.217
inet6 fe80::84b8:2eb3:a617:de8a%ipsec1000 prefixlen 64 scopeid 0x6
inet6 2600:3c01:e000:31e::2 prefixlen 112
inet 10.20.30.1 --> 10.20.30.2 netmask 0xfffffffc
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
reqid: 1000
groups: ipsec

And IPv6 worked.

Something probably changed in the path MTU between the two sites. Try setting MSS Clamping to something like 1350 on both sides VPN > IPsec, Advanced Settings

Note how the 192.168.148.10 site is reporting an 8960 MSS value. Someone playing with jumbo frames and screwed the pooch there?

Highly doubtful those are filling your RAM but it could be causing issues.

When a tunnel is rekeyed the old one is kept around until its lifetime expires.

I would look at the IPsec logs and see who is initiating the tunnels when one already exists. When that is determined, attempt to figure out why they are doing that.

Not true.

right = is the address being connected to/from
rightid = is the identifier the other side is expected to present

If an FQDN is used in the Remote Gateway of a connection, the FQDN is used as right = that.fqdn.tld

Strongswan says this:

If an FQDN is assigned it is resolved every time a configuration lookup is done. If DNS resolution times out, the lookup is delayed for that time.

The rightid could be pleasemakemyipsecwork as long as both sides agree.

In dyndns situations it is usually necessary to set a specific identifier in My identifier (usually something like the dyndns host name of that side) on the side or sides that are suffering with dynamic addressing with a matching Remote identifier on the other side.

If pfSense is not the default gateway of the host that you are adding that route to, then you need the route there. IP Networking 101 and nothing to do with pfSense.

Hmm, connecting directly from the Linux box as a client seems far more likely to work in all honesty. If that can't be made to work I'd be very surprised to see pfSense able to connect.

Steve

opvns1 looks like Open VPN not IPSEC.
If you use IPSEC you should configure firewall rules on the IPSEC interface.
If you use OpenVPN you should configure firewall rules on the OpenVPN interface.

https://docs.netgate.com/pfsense/en/latest/book/openvpn/assigning-openvpn-interfaces.html

Regards,
Corrado

Yes, you can have site2site IPSEC and Mobile Clients on a single WAN at the same time.

Did you check "Enable IPsec Mobile Client Support " in IPSEC/Mobile Clients?

https://forum.netgate.com/topic/113227/ikev2-vpn-for-windows-10-and-osx-how-to

Regards,
Corrado