@Daz22 It is not possible the way it was intended (the conventional way: create AD groups for different network access rights, create a NPS policy for each group with different pools for which different firewall rules are set and pass the pools via Framed-Pool to the VPN server). You can see from the StrongSwan docs that Framed-Pool is not supported: https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius I haven't finished this yet due to other projects but will use Framed-IP-Address. The difference in management is that you don’t put users into AD groups but manage their access based on their personal IP directly on the firewall. Hence, the user management will get a bit cumbersome, obviously, but we really need the access differentiation. So far, I have created a PowerShell script that sets a unique IP address from our client VPN range for all the relevant AD users (not that easy, because users come and go, the script should overwrite manual settings but not settings from its previous runs; if i remember correctly, I implemented this based on AD timestamps). It should also create a CSV for the admins to keep track of the user IPs in the future. Next, I will create the “groups” as aliases on the firewall and create firewall rules for the aliases. For access management, you would put a user IP into an alias or remove it.

@aknewhope You need to add the 0.0.0.0/0 in your Phase 2. Go VPN>IPSEC>Tunnels> Edit your phase 2 Under local network select network and put the 0.0.0.0/0 route in. Try and let me know if that works!

Then post your exact, detailed config. If it was done correctly it would be working. ;)

@gh0stwr1ter Documentation PFSense is also written that the possible problems with connection of L2TP/IPsec clients behind a NAT. And it is recommended to use IKEv2. received packet: from 75.129.232.186[4500] to 144.202.66.15[4500] (92 bytes) I also recommend setup remote access using IKEv2 For example, https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html

Thanks for the help @Derelict and @Konstanti What ended up working for me is pfSsh.php playback svc start ipsec along with some of the ipsec down and up commands. Hadn't tried swanctl but definitely appreciate all of the suggestions!

Yeah, after more playing it doesn't seem that VTI+IPv6 is working right. I tried adding a second SA on the IPv4-based tunnel and it didn't work right at all. I changed it to a GIF over VTI and it came right up with no trouble. While it seems a little wasteful, anything less than a /64 causes weird behaviors with IPv6 in certain cases so I've always stuck with that. I know in recent years there have been recommendations on using /127 prefixes on intra-router links (e.g. RFC6164) but this is all interior connections. Thanks for the response.

Another note: Apple devices behave completely differently when configured manually or via a profile. You might have better luck using a generated profile.

Did you add firewall rules on the IPsec tab for the desired incoming traffic?

As I was testing with PFS "off", I thought to myself "Perphaps they configured more groups except PFS 19" and I just tried with PFS group 14 and I think I was right. They told me 19 but 14 seems to exist, too. As far as I can tell, it works with 14 as expected, after 1 hour the rekey starts and seems to work fine. The MTU is not too big and a new child_sa is created. Apr 13 19:19:32 charon 06[CHD] <con4000|30> CHILD_SA con4000{1584} state change: INSTALLING => INSTALLED Apr 13 19:19:32 charon 06[IKE] <con4000|30> CHILD_SA con4000{1584} established with SPIs c25045b2_i 495408d7_o and TS 10.207.239.61/32|192.168.1.0/24 === 10.11.0.0/11|/0 Apr 13 19:19:32 charon 06[CHD] <con4000|30> SPI 0x495408d7, src 213.34.11.17 dst 185.121.192.8 Apr 13 19:19:32 charon 06[CHD] <con4000|30> adding outbound ESP SA Apr 13 19:19:32 charon 06[CHD] <con4000|30> SPI 0xc25045b2, src 185.121.192.8 dst 213.34.11.17 Apr 13 19:19:32 charon 06[CHD] <con4000|30> adding inbound ESP SA Apr 13 19:19:32 charon 06[CHD] <con4000|30> using HMAC_SHA2_256_128 for integrity Apr 13 19:19:32 charon 06[CHD] <con4000|30> using AES_CBC for encryption Apr 13 19:19:32 charon 06[CHD] <con4000|30> CHILD_SA con4000{1584} state change: CREATED => INSTALLING Apr 13 19:19:32 charon 06[CFG] <con4000|30> config: 10.11.0.0/11|/0, received: 10.11.0.0/11|/0 => match: 10.11.0.0/11|/0 Apr 13 19:19:32 charon 06[CFG] <con4000|30> selecting traffic selectors for other: Apr 13 19:19:32 charon 06[CFG] <con4000|30> config: 10.207.239.61/32|192.168.1.0/24, received: 10.207.239.61/32|/0 => match: 10.207.239.61/32|192.168.1.0/24 Apr 13 19:19:32 charon 06[CFG] <con4000|30> selecting traffic selectors for us: Apr 13 19:19:32 charon 06[CFG] <con4000|30> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ Apr 13 19:19:32 charon 06[CFG] <con4000|30> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ Apr 13 19:19:32 charon 06[CFG] <con4000|30> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ Apr 13 19:19:32 charon 06[CFG] <con4000|30> proposal matches Apr 13 19:19:32 charon 06[CFG] <con4000|30> selecting proposal: Apr 13 19:19:32 charon 06[IKE] <con4000|30> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Apr 13 19:19:32 charon 06[IKE] <con4000|30> received NON_FIRST_FRAGMENTS_ALSO notify Apr 13 19:19:32 charon 06[IKE] <con4000|30> received ESP_TFC_PADDING_NOT_SUPPORTED notify Apr 13 19:19:32 charon 06[ENC] <con4000|30> parsed CREATE_CHILD_SA response 2 [ SA No KE TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ] Apr 13 19:19:32 charon 06[NET] <con4000|30> received packet: from 185.121.192.8[500] to 213.34.11.17[500] (480 bytes) Apr 13 19:19:32 charon 06[NET] <con4000|30> sending packet: from 213.34.11.17[500] to 185.121.192.8[500] (480 bytes) Apr 13 19:19:32 charon 06[ENC] <con4000|30> generating CREATE_CHILD_SA request 2 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ] Apr 13 19:19:32 charon 06[IKE] <con4000|30> establishing CHILD_SA con4000{1584} reqid 70 Apr 13 19:19:32 charon 06[CFG] <con4000|30> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ Apr 13 19:19:32 charon 06[CFG] <con4000|30> 10.11.0.0/11|/0 Apr 13 19:19:32 charon 06[CFG] <con4000|30> proposing traffic selectors for other: Apr 13 19:19:32 charon 06[CFG] <con4000|30> 10.207.239.61/32|192.168.1.0/24 Apr 13 19:19:32 charon 06[CFG] <con4000|30> proposing traffic selectors for us: Apr 13 19:19:32 charon 06[IKE] <con4000|30> activating CHILD_CREATE task Apr 13 19:19:32 charon 06[IKE] <con4000|30> activating new tasks I'll let it run through the night to see if it works but I'm pretty confident that it will. I don't know why PFS group 19 raises this problems I described above but if it works with 14, this should be a problem for another day.

Anything in the firewall log regarding those two clients? If it's working once, it should continue to work.

That shouldn't matter, as long as the ISP router doesn't block or otherwise mess with IPsec.

Configured by this method. Everything works and Apple and Android devices. https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev1-xauth.html

This is what the log shows when it comes back up: Apr 4 09:26:29 mbsnet-pf1 charon: 06[KNL] creating acquire job for policy MY.IP.ADD.RESS/32|/0 === THEIR.IP.ADD.RESS/32|/0 with reqid {108} Apr 4 09:26:36 mbsnet-pf1 charon: 12[KNL] creating acquire job for policy MY.IP.ADD.RESS/32|/0 === THEIR.IP.ADD.RESS/32|/0 with reqid {108} Apr 4 09:26:42 mbsnet-pf1 charon: 05[KNL] creating acquire job for policy MY.IP.ADD.RESS/32|/0 === THEIR.IP.ADD.RESS/32|/0 with reqid {108} Apr 4 09:26:49 mbsnet-pf1 charon: 15[KNL] creating acquire job for policy MY.IP.ADD.RESS/32|/0 === THEIR.IP.ADD.RESS/32|/0 with reqid {108} Apr 4 09:26:58 mbsnet-pf1 charon: 10[KNL] creating acquire job for policy MY.IP.ADD.RESS/32|/0 === THEIR.IP.ADD.RESS/32|/0 with reqid {108} Apr 4 09:26:59 mbsnet-pf1 charon: 14[IKE] <con19000|238> giving up after 5 retransmits Apr 4 09:26:59 mbsnet-pf1 charon: 14[IKE] <con19000|238> peer not responding, trying again (2/3) Apr 4 09:26:59 mbsnet-pf1 charon: 14[IKE] <con19000|238> initiating Main Mode IKE_SA con19000[238] to THEIR.IP.ADD.RESS Apr 4 09:26:59 mbsnet-pf1 charon: 14[ENC] <con19000|238> generating ID_PROT request 0 [ SA V V V V V ] Apr 4 09:26:59 mbsnet-pf1 charon: 14[NET] <con19000|238> sending packet: from MY.IP.ADD.RESS[500] to THEIR.IP.ADD.RESS[500] (180 bytes) Apr 4 09:27:03 mbsnet-pf1 charon: 13[IKE] <con19000|238> sending retransmit 1 of request message ID 0, seq 1 Apr 4 09:27:03 mbsnet-pf1 charon: 13[NET] <con19000|238> sending packet: from MY.IP.ADD.RESS[500] to THEIR.IP.ADD.RESS[500] (180 bytes) Apr 4 09:27:09 mbsnet-pf1 charon: 10[KNL] creating acquire job for policy MY.IP.ADD.RESS/32|/0 === THEIR.IP.ADD.RESS/32|/0 with reqid {108} Apr 4 09:27:11 mbsnet-pf1 charon: 13[IKE] <con19000|238> sending retransmit 2 of request message ID 0, seq 1 Apr 4 09:27:11 mbsnet-pf1 charon: 13[NET] <con19000|238> sending packet: from MY.IP.ADD.RESS[500] to THEIR.IP.ADD.RESS[500] (180 bytes) Apr 4 09:27:20 mbsnet-pf1 charon: 12[KNL] creating acquire job for policy MY.IP.ADD.RESS/32|/0 === THEIR.IP.ADD.RESS/32|/0 with reqid {108} Apr 4 09:27:24 mbsnet-pf1 charon: 12[IKE] <con19000|238> sending retransmit 3 of request message ID 0, seq 1 Apr 4 09:27:24 mbsnet-pf1 charon: 12[NET] <con19000|238> sending packet: from MY.IP.ADD.RESS[500] to THEIR.IP.ADD.RESS[500] (180 bytes) Apr 4 09:27:31 mbsnet-pf1 charon: 14[KNL] creating acquire job for policy MY.IP.ADD.RESS/32|/0 === THEIR.IP.ADD.RESS/32|/0 with reqid {108} Apr 4 09:27:37 mbsnet-pf1 charon: 13[KNL] creating acquire job for policy MY.IP.ADD.RESS/32|/0 === THEIR.IP.ADD.RESS/32|/0 with reqid {108} Apr 4 09:27:42 mbsnet-pf1 charon: 13[KNL] creating acquire job for policy MY.IP.ADD.RESS/32|/0 === THEIR.IP.ADD.RESS/32|/0 with reqid {108} Apr 4 09:27:47 mbsnet-pf1 charon: 11[IKE] <con19000|238> sending retransmit 4 of request message ID 0, seq 1 Apr 4 09:27:47 mbsnet-pf1 charon: 11[NET] <con19000|238> sending packet: from MY.IP.ADD.RESS[500] to THEIR.IP.ADD.RESS[500] (180 bytes) Apr 4 09:27:49 mbsnet-pf1 charon: 06[KNL] creating acquire job for policy MY.IP.ADD.RESS/32|/0 === THEIR.IP.ADD.RESS/32|/0 with reqid {108} Apr 4 09:28:04 mbsnet-pf1 charon: 09[KNL] creating acquire job for policy MY.IP.ADD.RESS/32|/0 === THEIR.IP.ADD.RESS/32|/0 with reqid {108} Apr 4 09:28:17 mbsnet-pf1 charon: 11[NET] <241> received packet: from THEIR.IP.ADD.RESS[500] to MY.IP.ADD.RESS[500] (228 bytes) Apr 4 09:28:17 mbsnet-pf1 charon: 11[IKE] <241> THEIR.IP.ADD.RESS is initiating a Main Mode IKE_SA Apr 4 09:28:17 mbsnet-pf1 charon: 11[NET] <241> sending packet: from MY.IP.ADD.RESS[500] to THEIR.IP.ADD.RESS[500] (120 bytes) Apr 4 09:28:17 mbsnet-pf1 charon: 05[NET] <241> received packet: from THEIR.IP.ADD.RESS[500] to MY.IP.ADD.RESS[500] (244 bytes) Apr 4 09:28:17 mbsnet-pf1 charon: 05[NET] <241> sending packet: from MY.IP.ADD.RESS[500] to THEIR.IP.ADD.RESS[500] (260 bytes) Apr 4 09:28:17 mbsnet-pf1 charon: 05[NET] <241> received packet: from THEIR.IP.ADD.RESS[500] to MY.IP.ADD.RESS[500] (76 bytes) Apr 4 09:28:17 mbsnet-pf1 charon: 05[CFG] <241> looking for pre-shared key peer configs matching MY.IP.ADD.RESS...THEIR.IP.ADD.RESS[THEIR.IP.ADD.RESS] Apr 4 09:28:17 mbsnet-pf1 charon: 05[CFG] <241> selected peer config "con19000" Apr 4 09:28:17 mbsnet-pf1 charon: 05[IKE] <con19000|241> IKE_SA con19000[241] established between MY.IP.ADD.RESS[MY.IP.ADD.RESS]...THEIR.IP.ADD.RESS[THEIR.IP.ADD.RESS] Apr 4 09:28:17 mbsnet-pf1 charon: 05[ENC] <con19000|241> generating ID_PROT response 0 [ ID HASH ] Apr 4 09:28:17 mbsnet-pf1 charon: 05[NET] <con19000|241> sending packet: from MY.IP.ADD.RESS[500] to THEIR.IP.ADD.RESS[500] (76 bytes) Apr 4 09:28:17 mbsnet-pf1 charon: 08[NET] <con19000|241> received packet: from THEIR.IP.ADD.RESS[500] to MY.IP.ADD.RESS[500] (188 bytes) Apr 4 09:28:17 mbsnet-pf1 charon: 08[ENC] <con19000|241> parsed QUICK_MODE request 1473375317 [ HASH SA No ID ID ] Apr 4 09:28:17 mbsnet-pf1 charon: 08[IKE] <con19000|241> received 28800s lifetime, configured 0s Apr 4 09:28:17 mbsnet-pf1 charon: 08[ENC] <con19000|241> generating QUICK_MODE response 1473375317 [ HASH SA No ID ID ] Apr 4 09:28:17 mbsnet-pf1 charon: 08[NET] <con19000|241> sending packet: from MY.IP.ADD.RESS[500] to THEIR.IP.ADD.RESS[500] (172 bytes) Apr 4 09:28:17 mbsnet-pf1 charon: 12[NET] <con19000|241> received packet: from THEIR.IP.ADD.RESS[500] to MY.IP.ADD.RESS[500] (60 bytes) Apr 4 09:28:17 mbsnet-pf1 charon: 12[ENC] <con19000|241> parsed QUICK_MODE request 1473375317 [ HASH ] Apr 4 09:28:17 mbsnet-pf1 charon: 12[IKE] <con19000|241> CHILD_SA con19003{253} established with SPIs c80f364c_i 852f79ed_o and TS MY.LAN.IP.NET/24|/0 === THEIR.LAN.SUB.NET1/32|/0 Apr 4 09:28:18 mbsnet-pf1 charon: 07[NET] <con19000|241> received packet: from THEIR.IP.ADD.RESS[500] to MY.IP.ADD.RESS[500] (76 bytes) Apr 4 09:28:18 mbsnet-pf1 charon: 07[ENC] <con19000|241> parsed INFORMATIONAL_V1 request 643855776 [ HASH D ] Apr 4 09:28:18 mbsnet-pf1 charon: 07[IKE] <con19000|241> received DELETE for ESP CHILD_SA with SPI f1221d88 Apr 4 09:28:18 mbsnet-pf1 charon: 07[IKE] <con19000|241> CHILD_SA not found, ignored Apr 4 09:28:19 mbsnet-pf1 charon: 08[KNL] creating acquire job for policy MY.IP.ADD.RESS/32|/0 === THEIR.IP.ADD.RESS/32|/0 with reqid {108} Apr 4 09:28:26 mbsnet-pf1 charon: 15[KNL] creating acquire job for policy MY.IP.ADD.RESS/32|/0 === THEIR.IP.ADD.RESS/32|/0 with reqid {108} Apr 4 09:28:29 mbsnet-pf1 charon: 16[IKE] <con19000|238> sending retransmit 5 of request message ID 0, seq 1 Apr 4 09:28:29 mbsnet-pf1 charon: 16[NET] <con19000|238> sending packet: from MY.IP.ADD.RESS[500] to THEIR.IP.ADD.RESS[500] (180 bytes) Apr 4 09:28:35 mbsnet-pf1 charon: 14[KNL] creating acquire job for policy MY.IP.ADD.RESS/32|/0 === THEIR.IP.ADD.RESS/32|/0 with reqid {108} Apr 4 09:28:42 mbsnet-pf1 charon: 12[KNL] creating acquire job for policy MY.IP.ADD.RESS/32|/0 === THEIR.IP.ADD.RESS/32|/0 with reqid {109} Apr 4 09:28:43 mbsnet-pf1 charon: 12[KNL] creating acquire job for policy MY.IP.ADD.RESS/32|/0 === THEIR.IP.ADD.RESS/32|/0 with reqid {108} Apr 4 09:29:24 mbsnet-pf1 charon: 14[ENC] <con19000|241> parsed QUICK_MODE request 797297949 [ HASH SA No ID ID ] Apr 4 09:29:24 mbsnet-pf1 charon: 14[IKE] <con19000|241> received 28800s lifetime, configured 0s Apr 4 09:29:24 mbsnet-pf1 charon: 14[ENC] <con19000|241> generating QUICK_MODE response 797297949 [ HASH SA No ID ID ] Apr 4 09:29:24 mbsnet-pf1 charon: 14[NET] <con19000|241> sending packet: from MY.IP.ADD.RESS[500] to THEIR.IP.ADD.RESS[500] (188 bytes) Apr 4 09:29:24 mbsnet-pf1 charon: 05[NET] <con19000|241> received packet: from THEIR.IP.ADD.RESS[500] to MY.IP.ADD.RESS[500] (60 bytes) Apr 4 09:29:24 mbsnet-pf1 charon: 05[ENC] <con19000|241> parsed QUICK_MODE request 797297949 [ HASH ] Apr 4 09:29:24 mbsnet-pf1 charon: 05[IKE] <con19000|241> CHILD_SA con19001{255} established with SPIs c079570a_i b1d57c84_o and TS MY.LAN.IP.NET/24|/0 === THEIR.LAN.SUB.NET2/24|/0 Apr 4 09:29:24 mbsnet-pf1 charon: 05[NET] <con19000|241> received packet: from THEIR.IP.ADD.RESS[500] to MY.IP.ADD.RESS[500] (76 bytes) Apr 4 09:29:24 mbsnet-pf1 charon: 05[ENC] <con19000|241> parsed INFORMATIONAL_V1 request 3723224733 [ HASH D ] Apr 4 09:29:24 mbsnet-pf1 charon: 05[IKE] <con19000|241> received DELETE for ESP CHILD_SA with SPI 834e133b Apr 4 09:29:24 mbsnet-pf1 charon: 05[IKE] <con19000|241> CHILD_SA not found, ignored Apr 4 09:29:29 mbsnet-pf1 charon: 09[KNL] creating acquire job for policy MY.IP.ADD.RESS/32|/0 === THEIR.IP.ADD.RESS/32|/0 with reqid {109} Apr 4 09:29:30 mbsnet-pf1 charon: 06[NET] <con19000|241> received packet: from THEIR.IP.ADD.RESS[500] to MY.IP.ADD.RESS[500] (188 bytes) Apr 4 09:29:30 mbsnet-pf1 charon: 06[ENC] <con19000|241> parsed QUICK_MODE request 3795121176 [ HASH SA No ID ID ] Apr 4 09:29:30 mbsnet-pf1 charon: 06[IKE] <con19000|241> received 28800s lifetime, configured 0s Apr 4 09:29:30 mbsnet-pf1 charon: 06[ENC] <con19000|241> generating QUICK_MODE response 3795121176 [ HASH SA No ID ID ] Apr 4 09:29:30 mbsnet-pf1 charon: 06[NET] <con19000|241> sending packet: from MY.IP.ADD.RESS[500] to THEIR.IP.ADD.RESS[500] (188 bytes) Apr 4 09:29:30 mbsnet-pf1 charon: 13[NET] <con19000|241> received packet: from THEIR.IP.ADD.RESS[500] to MY.IP.ADD.RESS[500] (60 bytes) Apr 4 09:29:30 mbsnet-pf1 charon: 13[ENC] <con19000|241> parsed QUICK_MODE request 3795121176 [ HASH ] Apr 4 09:29:30 mbsnet-pf1 charon: 13[IKE] <con19000|241> CHILD_SA con19000{256} established with SPIs ca872813_i a5f827a7_o and TS MY.LAN.IP.NET/24|/0 === THEIR.LAN.SUB.NET3/24|/0 Apr 4 09:29:30 mbsnet-pf1 charon: 13[NET] <con19000|241> received packet: from THEIR.IP.ADD.RESS[500] to MY.IP.ADD.RESS[500] (76 bytes) Apr 4 09:29:30 mbsnet-pf1 charon: 13[ENC] <con19000|241> parsed INFORMATIONAL_V1 request 3250968574 [ HASH D ] Apr 4 09:29:30 mbsnet-pf1 charon: 13[IKE] <con19000|241> received DELETE for ESP CHILD_SA with SPI ddf8f1f4 Apr 4 09:29:30 mbsnet-pf1 charon: 13[IKE] <con19000|241> CHILD_SA not found, ignored Apr 4 09:29:44 mbsnet-pf1 charon: 11[IKE] <con19000|238> giving up after 5 retransmits Apr 4 09:29:44 mbsnet-pf1 charon: 11[IKE] <con19000|238> peer not responding, trying again (3/3) Apr 4 09:29:44 mbsnet-pf1 charon: 11[IKE] <con19000|238> initiating Main Mode IKE_SA con19000[238] to THEIR.IP.ADD.RESS Apr 4 09:29:44 mbsnet-pf1 charon: 11[ENC] <con19000|238> generating ID_PROT request 0 [ SA V V V V V ] Apr 4 09:29:44 mbsnet-pf1 charon: 11[NET] <con19000|238> sending packet: from MY.IP.ADD.RESS[500] to THEIR.IP.ADD.RESS[500] (180 bytes) Apr 4 09:29:48 mbsnet-pf1 charon: 14[IKE] <con19000|238> sending retransmit 1 of request message ID 0, seq 1 Apr 4 09:29:48 mbsnet-pf1 charon: 14[NET] <con19000|238> sending packet: from MY.IP.ADD.RESS[500] to THEIR.IP.ADD.RESS[500] (180 bytes) Apr 4 09:29:56 mbsnet-pf1 charon: 05[IKE] <con19000|238> sending retransmit 2 of request message ID 0, seq 1 Apr 4 09:29:56 mbsnet-pf1 charon: 05[NET] <con19000|238> sending packet: from MY.IP.ADD.RESS[500] to THEIR.IP.ADD.RESS[500] (180 bytes) Apr 4 09:30:09 mbsnet-pf1 charon: 11[IKE] <con19000|238> sending retransmit 3 of request message ID 0, seq 1 Apr 4 09:30:09 mbsnet-pf1 charon: 11[NET] <con19000|238> sending packet: from MY.IP.ADD.RESS[500] to THEIR.IP.ADD.RESS[500] (180 bytes) Apr 4 09:30:32 mbsnet-pf1 charon: 06[IKE] <con19000|238> sending retransmit 4 of request message ID 0, seq 1 Apr 4 09:30:32 mbsnet-pf1 charon: 06[NET] <con19000|238> sending packet: from MY.IP.ADD.RESS[500] to THEIR.IP.ADD.RESS[500] (180 bytes) Apr 4 09:31:14 mbsnet-pf1 charon: 15[IKE] <con19000|238> sending retransmit 5 of request message ID 0, seq 1 Apr 4 09:31:14 mbsnet-pf1 charon: 15[NET] <con19000|238> sending packet: from MY.IP.ADD.RESS[500] to THEIR.IP.ADD.RESS[500] (180 bytes) Apr 4 09:31:37 mbsnet-pf1 charon: 06[KNL] creating acquire job for policy MY.IP.ADD.RESS/32|/0 === THEIR.IP.ADD.RESS/32|/0 with reqid {109} Apr 4 09:32:30 mbsnet-pf1 charon: 07[IKE] <con19000|238> giving up after 5 retransmits Apr 4 09:32:30 mbsnet-pf1 charon: 07[IKE] <con19000|238> establishing IKE_SA failed, peer not responding Apr 4 09:33:37 mbsnet-pf1 charon: 05[NET] <con19000|241> received packet: from THEIR.IP.ADD.RESS[500] to MY.IP.ADD.RESS[500] (188 bytes) Apr 4 09:33:37 mbsnet-pf1 charon: 05[ENC] <con19000|241> parsed QUICK_MODE request 506309004 [ HASH SA No ID ID ] Apr 4 09:33:37 mbsnet-pf1 charon: 05[IKE] <con19000|241> received 28800s lifetime, configured 0s Apr 4 09:33:37 mbsnet-pf1 charon: 05[ENC] <con19000|241> generating QUICK_MODE response 506309004 [ HASH SA No ID ID ] Apr 4 09:33:37 mbsnet-pf1 charon: 05[NET] <con19000|241> sending packet: from MY.IP.ADD.RESS[500] to THEIR.IP.ADD.RESS[500] (188 bytes) Apr 4 09:33:37 mbsnet-pf1 charon: 12[NET] <con19000|241> received packet: from THEIR.IP.ADD.RESS[500] to MY.IP.ADD.RESS[500] (60 bytes) Apr 4 09:33:37 mbsnet-pf1 charon: 12[ENC] <con19000|241> parsed QUICK_MODE request 506309004 [ HASH ] Apr 4 09:33:37 mbsnet-pf1 charon: 12[IKE] <con19000|241> CHILD_SA con19002{258} established with SPIs c64c48a2_i ebe60b38_o and TS MY.LAN.IP.NET/24|/0 === THEIR.LAN.SUB.NET4/24|/0 Apr 4 09:33:37 mbsnet-pf1 charon: 12[NET] <con19000|241> received packet: from THEIR.IP.ADD.RESS[500] to MY.IP.ADD.RESS[500] (76 bytes) Apr 4 09:33:37 mbsnet-pf1 charon: 12[ENC] <con19000|241> parsed INFORMATIONAL_V1 request 2475751961 [ HASH D ] Apr 4 09:33:37 mbsnet-pf1 charon: 12[IKE] <con19000|241> received DELETE for ESP CHILD_SA with SPI 8ca208a7 Apr 4 09:33:37 mbsnet-pf1 charon: 12[IKE] <con19000|241> CHILD_SA not found, ignored

Hi, So I ended up resolving this issue, for those who are interested it was an issue with the AT&T modem. I have the Arris BGW-210 on both sides of the tunnel. The modem has a setting under Advanced Firewall called ESP ALG, this setting should be disabled if both sides of your tunnel are not behind NAT (pfSense has a public IP). Thanks for your help getting this resolved, the tunnel is working great, I'm seeing over 300 mbps between the networks.

That depends on the mix of clients mostly. What you are trying to do there typically requires the Cisco Anyconnect client on Windows anyway. If you MUST try this, try IKEv2 but that will probably require the strongswan app on android. There is no 100% universal solution unfortunately. The client support is too varied. Yes, OpenVPN requires a client but in most cases it is free and your configuration will be substantially similar across any device it supports.