Hello,

I have the same problem.

@jimp : i don't understand your solution. Can you explain me with more details please ?

I made a schema :

0_1547127650496_pfsense.png

thank you very much if you can help me because I'm stuck.

Ludo.

Have a look here:
https://forum.netgate.com/topic/95361/solved-cross-platform-ikev2-vpn-no-dns-on-linux-mac-ios/7

Note that the basic problem of Split DNS with Split Tunnel in IKEv2 is work-in-progress regarding RFC standards.
https://tools.ietf.org/html/draft-ietf-ipsecme-split-dns-16

That is correct.

If you have the same subnet as the other side, both sides have to NAT to something else, else one side will think the other side is actually on its local subnet.

Hi, your machines uses s.o windows ? in that case turn off the firewall each and check pin to the other machine

@konstanti

i have put the log in my topic

Ommit my ovpn reference, still, what do the ipsec logs say? timeout? remote disc?
How is failover implemented

I know! ;-)

Since this is a productive system I can't easily mess with network settings.

I have changed pfSense LAN address to 192.168.0.1 and the IP of a test server to 192.168.0.22.

The subnet in Azure now is 10.10.0.0. The connection can be established, but machines in the different subnets still do not see each other.

WAN, LAN, and IPsec firewall rules have all been set to allow full IP4 traffic.
Can ping local machine from pfSense LAN and vice versa. Azure VPN shows some traffic in both directions (just a few bytes).

Probably one of these.

https://www.netgate.com/docs/pfsense/book/ipsec/choosing-configuration-options.html#authentication-method

What VPS service are you connecting to? Directly to the service to the VPS? What is it if so?

STeve

EAP-RADIUS is just EAP-MSCHAPv2 with RADIUS on the backend. If it doesn't work, the most likely problem is that our NPS config is not setup to allow EAP properly.

See https://www.netgate.com/docs/pfsense/book/thirdparty/radius-authentication-with-windows-server.html#adding-a-network-policy for something to check against

@matt4542 Hey
https://www.netgate.com/docs/pfsense/book/ipsec/mobile-ipsec.html
https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClient
Show Phase 1 IPSEC PFSense settings
And Strongswan Android settings
Pay attention to the selected text
You don't have that in your logs.

Dec 25 09:06:44 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Dec 25 09:06:44 00[DMN] Starting IKE service (strongSwan 5.7.1, Android 8.0.0 - ANE-LX1 8.0.0.162(C432)/2018-10-01, ANE-LX1 - HUAWEI/ANE-LX1/HUAWEI, Linux 4.4.23+, aarch64)
Dec 25 09:06:44 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Dec 25 09:06:44 00[JOB] spawning 16 worker threads
Dec 25 09:06:44 04[CFG] loaded user certificate 'C=ES, O=XXX, CN=sony_xperia.XXXXX' and private key
Dec 25 09:06:45 04[IKE] initiating IKE_SA android[1] to 94.177.XXX.XXX
Dec 25 09:06:45 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Dec 25 09:06:45 04[NET] sending packet: from 192.168.1.42[42086] to XXXX.XXXX[500] (716 bytes)
Dec 25 09:06:45 09[NET] received packet: from 94.177.XXX.XXX[500] to 192.168.1.42[42086] (38 bytes)
Dec 25 09:06:45 09[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Dec 25 09:06:45 09[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
Dec 25 09:06:45 09[IKE] initiating IKE_SA android[1] to 94.177.XXXX
Dec 25 09:06:45 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Dec 25 09:06:45 09[NET] sending packet: from 192.168.1.42[42086] to 94.177.XXX[500] (908 bytes)
Dec 25 09:06:45 10[NET] received packet: from 94.177.XXX[500] to 192.168.1.42[42086] (489 bytes)
Dec 25 09:06:45 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Dec 25 09:06:45 10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Dec 25 09:06:45 10[IKE] local host is behind NAT, sending keep alives
Dec 25 09:06:45 10[IKE] received cert request for "C=ES, O=XXX, CN=XXX"
Dec 25 09:06:45 10[IKE] sending cert request for "C=ES, O=XXX, CN=XXXX"
Dec 25 09:06:45 10[IKE] establishing CHILD_SA android{1}

If one side supports routed IPsec and the other side only supports tunneled IPsec, then it can still work provided that you only attempt to send traffic that matches the P2 entries on the remote end. Anything else would fail.

@tresrob
Hey
Sorry for my English
can you ping 192.168.0.1 from 192.168.50.0/24 ?
And show the rules on lan of the pfsense b
And rules on the opt1 pfsense A

@artemis At the time , too, wanted to go to study at Cisco engineer, but could not . Glad to have helped ))))) good Luck

Excellent news, always learn, I will check that once, thanks Derelict.

It depends on the context. pfSense can act as a "client" for site-to-site style connections using certificate-based auth, but it is not made to support a "mobile" or remote access style client setup where the server side sends configuration data such as the interface address to use.

I fixed it..

I put on IPSEC PHASE 2 > NAT BINAT IP 192.168.0.x/32 and LOCAL NETWORK 10.0.0.0/24 and REMOTE NETWORK 192.168.1.0/24

and then I made NAT 1:1 > 10.0.0.x > INTERNAL IP > 192.168.0.1 and made the rules on INTERFACES IPSEC and LAN.
thank you.

It means that you cannot initiate pings from a source address that is not on the firewall itself.

For instance, if you have a Phase 2 tunnel between a local network that is behind another router on your side and a network on the remote side, the firewall itself cannot generate an interesting ping to bring up a tunnel because it cannot ping sourced from an address that is not on the firewall.

In that case you would have to generate a keepalive ping from the network interesting to IPsec.