Troubleshooting a VPN connection may be some of the most challenging work you will ever do. Establishing a VPN tunnel involves multiple steps. A failure at any of these steps will result in a failure to establish a VPN connection. In such cases, it may help to use the following guidelines for troubleshooting:

1. If the remote client or peer is not able to connect to pfSense, then it is possible that the VPN service is not running at the local end of the connection. Check to make sure that it is running.
2. If the VPN service is running at either end, it is possible that one or more ports are blocked and need to be unblocked. Check to make sure that the rules allowing traffic through the necessary ports are unblocked, and that they are taking effect. Even if the rules exist, the order of the rules may be such that they are not taking effect. Consult the following table when checking to see whether the correct ports are open:

3. If the remote client is able to connect to the server, but the connection ultimately fails, then often, the best source for information about what has happened is in the log files. If you navigate to Status | System Logs, you will be able to find OpenVPN and IPsec log entries in separate tabs. In many cases, the source of the problem is a mismatch between the client and server settings (or peer settings).

While a lot of VPN problems stem from client-server settings mismatches, in other cases, you may be experiencing problems because of the nuances of certain clients. For example, the ShrewSoft VPN Client seems to require IKEv1 for key exchange, and a negotiation mode of Aggressive. The Windows built-in VPN client, however, seems to require IKev2. Consulting the client software documentation will help, as will looking for additional information online.

One aspect of IPsec configuration that may cause problems (if configuring IPsec in pfSense is new to you) is what happens when you switch from IKEv1 to IKEv2, and then back to IKEv1. The negotiation mode will change to Main, even if you originally set it to Aggressive. Therefore, if you change the Key Exchange Method, make sure that you have the right setting for Negotiation mode before saving your settings.