Probably firewalls (think windows firewall) local on the hosts you are trying to ping. Or Anti-virus, endpoint protection, or some other software on the target host itself.

@chonkat Status >>> System Logs >>> VPN >>> L2TP Logins Is that what you are looking for?

And probably about time to ask on the D-Link forums instead of here.

@sepp_huber said in Schedules for IPSec tunnels: There is no feature to disable it, it must be deleted to stop billing ... and if you create it again you get a new configuration, not very cost efficient... That's why many people put pfSense in AWS and IPsec to that.

In case the change is not working, do we need to add an another change or bug request somewhere? Because the idea and feature is quite useful.

The looks like the ethernet LAN on the client.

You can ping from the pfSense GUI if one of the firewall interfaces is an interesting source for the traffic selector. For instance, if the pfSense LAN network is a local network in IPsec you just need to select LAN as the Source address in Diagnostics > Ping. It sets the -S flag to the ping command.

I have an IPSEC tunnel set up. I even went and set up bidirectional rules for IPSEC. The problem I am having is that when I ping my host, in my VPC, it send that ICMP traffic to my LAN interface and not the IPSEC interface as it is should have (per the policy based rules). I had several peers overlook my rules and all said it should work.

you can have multiple tunnel configured, i don't see why not

I thought so, there have to be installations with many SAs. But who really knows. I transferred the settings to an alternative firewall and the tunnel was established immediately and the routing worked. I will try to reconstruct the problem and post the logs

That's it! It's the most important part of the whole Tutorial, which got lost just between the lines :/ In my case I had to enter "Rocky*** Certificate Authority". [image: 1563902449443-bildschirmfoto-2019-07-23-um-19.16.46.png] @Konstanti: Thank you sooo much for your help! And I'm so sorry for asking such stupid questions :/ At least I know another possible way, I can setup my ikev2 without having to setup profiles Marti

nothing just these log i can't understand why... it on a brand new hardware dell From IPSEC LOG Jul 22 08:56:31 charon 11[IKE] <con3000|563> nothing to initiate Jul 22 08:56:31 charon 11[IKE] <con3000|563> activating new tasks Jul 22 08:56:31 charon 11[NET] <con3000|563> sending packet: from 100.19.77.74[500] to 216.164.171.58[500] (108 bytes) Jul 22 08:56:31 charon 11[ENC] <con3000|563> generating INFORMATIONAL_V1 request 3146799562 [ HASH N(DPD_ACK) ] Jul 22 08:56:31 charon 11[IKE] <con3000|563> activating ISAKMP_DPD task Jul 22 08:56:31 charon 11[IKE] <con3000|563> activating new tasks Jul 22 08:56:31 charon 11[IKE] <con3000|563> queueing ISAKMP_DPD task Jul 22 08:56:31 charon 11[ENC] <con3000|563> parsed INFORMATIONAL_V1 request 1238973164 [ HASH N(DPD) ] Jul 22 08:56:31 charon 11[NET] <con3000|563> received packet: from 216.164.171.58[500] to 100.19.77.74[500] (108 bytes) Jul 22 08:56:31 charon 11[MGR] IKE_SA con3000[563] successfully checked out Jul 22 08:56:31 charon 11[MGR] checkout IKEv1 SA by message with SPIs 9d5e1f8e6adf1cbe_i e26f984e1fc164ba_r Jul 22 08:56:23 charon 11[MGR] <con1000|559> checkin of IKE_SA successful Jul 22 08:56:23 charon 11[MGR] <con1000|559> checkin IKE_SA con1000[559] Jul 22 08:56:23 charon 11[MGR] IKE_SA con1000[559] successfully checked out Jul 22 08:56:23 charon 11[MGR] checkout IKEv1 SA with SPIs 68e88993f39f80e4_i c2379c57f6bf9e70_r Jul 22 08:56:22 charon 11[MGR] <con3000|563> checkin of IKE_SA successful Jul 22 08:56:22 charon 11[MGR] <con3000|563> checkin IKE_SA con3000[563] Jul 22 08:56:22 charon 11[IKE] <con3000|563> nothing to initiate Jul 22 08:56:22 charon 11[IKE] <con3000|563> activating new tasks Jul 22 08:56:22 charon 11[ENC] <con3000|563> parsed INFORMATIONAL_V1 request 3928395168 [ HASH N(DPD_ACK) ] Jul 22 08:56:22 charon 11[NET] <con3000|563> received packet: from 216.164.171.58[500] to 100.19.77.74[500] (108 bytes) Jul 22 08:56:22 charon 11[MGR] IKE_SA con3000[563] successfully checked out From System log Jul 22 08:00:07 check_reload_status Reloading filter Jul 22 04:00:24 php [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload Jul 22 05:00:04 php [pfBlockerNG] Starting cron process. Jul 22 05:00:04 php /usr/local/www/pfblockerng/pfblockerng.php: The command '/sbin/ifconfig 'igb0' delete '172.16.0.1'' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address' Jul 22 09:00:04 check_reload_status Reloading filter Jul 22 05:00:37 php [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload Jul 22 06:00:03 php [pfBlockerNG] Starting cron process. Jul 22 06:00:03 php /usr/local/www/pfblockerng/pfblockerng.php: The command '/sbin/ifconfig 'igb0' delete '172.16.0.1'' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address' Jul 22 10:00:03 check_reload_status Reloading filter Jul 22 06:01:09 php [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload Jul 22 06:14:21 ix-pfsense.inolex.local nginx: 2019/07/22 06:14:21 [error] 9680#100494: *154050 "/usr/local/www/english/index.php" is not found (2: No such file or directory), client: 185.114.76.44, server: , request: "GET http://www.rfa.org/english/ HTTP/1.1", host: "www.rfa.org" Jul 22 07:00:07 php [pfBlockerNG] Starting cron process. Jul 22 07:00:07 php /usr/local/www/pfblockerng/pfblockerng.php: The command '/sbin/ifconfig 'igb0' delete '172.16.0.1'' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address' Jul 22 11:00:07 check_reload_status Reloading filter Jul 22 07:05:06 php [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload Jul 22 07:31:31 kernel arp: 192.168.100.80 moved from 00:11:32:6b:64:26 to 00:11:32:6b:64:25 on igb0 Jul 22 07:31:33 kernel arp: 192.168.100.80 moved from 00:11:32:6b:64:25 to 00:11:32:6b:64:26 on igb0 Jul 22 08:00:03 php [pfBlockerNG] Starting cron process. Jul 22 08:00:03 php /usr/local/www/pfblockerng/pfblockerng.php: The command '/sbin/ifconfig 'igb0' delete '172.16.0.1'' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address' Jul 22 12:00:03 check_reload_status Reloading filter Jul 22 08:00:20 php [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload Jul 22 08:25:22 kernel arp: 192.168.100.80 moved from 00:11:32:6b:64:26 to 00:11:32:6b:64:25 on igb0 Jul 22 08:25:24 kernel arp: 192.168.100.80 moved from 00:11:32:6b:64:25 to 00:11:32:6b:64:26 on igb0 Jul 22 08:34:18 kernel arp: 192.168.100.80 moved from 00:11:32:6b:64:26 to 00:11:32:6b:64:25 on igb0 Jul 22 08:34:20 kernel arp: 192.168.100.80 moved from 00:11:32:6b:64:25 to 00:11:32:6b:64:26 on igb0 Jul 22 08:44:24 kernel arp: 192.168.100.80 moved from 00:11:32:6b:64:26 to 00:11:32:6b:64:25 on igb0 Jul 22 08:44:26 kernel arp: 192.168.100.80 moved from 00:11:32:6b:64:25 to 00:11:32:6b:64:26 on igb0 Jul 22 12:57:31 php-fpm /status_logs.php: Successful login for user 'admin' from: 192.168.102.247 (Local Database) Jul 22 09:00:03 php [pfBlockerNG] Starting cron process. Jul 22 09:00:03 php /usr/local/www/pfblockerng/pfblockerng.php: The command '/sbin/ifconfig 'igb0' delete '172.16.0.1'' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address' Jul 22 13:00:03 check_reload_status Reloading filter

The IPSec setup is explained well and detailed in the docs: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-a-site-to-site-ipsec-vpn.html In short, assuming you have Site1 with LAN: 10.10.1.0/24 Site2 with LAN: 10.11.1.0/24 So set the phase 2 at site 1: Local Network: 10.10.1.0/24 Remote Network: 10.11.1.0/24 At site 2 set the phase 2 the other way round: Local Network: 10.11.1.0/24 Remote Network: 10.10.1.0/24

do you have snort active? For me things like this are always realted to IDS

After reading a Book about VPN if understood subnetting with an Ipsec VPN and found the solution: Phase 2 must be configured like this: Phase2 Local Network - LAN Network NAT / BINAT 10.4.11.120 /30 Remote Network - 13.141.121.201

Just like you did for the route to 10.94.37.95/32 except on the other side of the tunnel and for 10.1.100.100.

@Abbys: luckily I still have the netstat output from the time the link was down: [2.4.4-RELEASE][admin@fw1.int.example.net]/root: netstat -rn | grep 169.254.22 169.254.22.149 link#27 UH ipsec500 169.254.22.150 link#27 UHS lo0 It's exactly the same now that the tunnel is up - except BGP has also installed a route to our AWS address space (10.30/16) [2.4.4-RELEASE][admin@fw1.int.example.net]/root: netstat -rn | grep 169.254.22 10.30.0.0/16 169.254.22.149 UG1 ipsec500 169.254.22.149 link#27 UH ipsec500 169.254.22.150 link#27 UHS lo0 (The interface is actually ipsec5000, it's just been truncated in netstat output)

Just define a phase 2 for each of your C/D/E/F networks on the A-B tunnel (the networks are local networks for B and remote for A).

@cyberfinn No See the documentation about the section config setup https://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf https://wiki.strongswan.org/projects/strongswan/wiki/ConfigSetupSection