pfSense

After some more testing this appears to be a problem only with mobile IPsec, specifically (at least) IKEv2 EAP-RADIUS.

A site-to-site IPsec connection using IKEv1 or IKEv2 does not have the same problem, states are created properly.

A ping from a mobile IPsec client (10.7.200.1) to the firewall LAN (10.7.0.1) produces only this in the firewall states table:

enc0 icmp 10.7.0.1:1 -> 10.7.200.1:1       0:0
   age 00:00:03, expires in 00:00:09, 3:0 pkts, 180:0 bytes, rule 88
   id: 00000000583e4bc5 creatorid: b95c5943

As you can see, that is in the "wrong" direction as it's the ICMP reply creating the state and not the original message from the client.

Attempting a TCP connection from the client to the server fails because TCP cannot create a state with a reply, instead, the dropped traffic shows in the firewall log:

Dec  1 12:46:32 block enc0 TCP:SA 10.7.0.1:443 10.7.200.1:50124

Dec  1 12:47:02 shona filterlog: 6,16777216,,1000000104,enc0,match,block,out,4,0x0,,64,0,0,DF,6,tcp,48,10.7.0.1,10.7.200.1,443,50132,0,SA,1687100934,2626059616,65228,,mss;sackOK;eol

Jimp, can you check the latest build ?

Relevant commit: https://github.com/pfsense/FreeBSD-src/commit/5d8a65f506d84b404e56a14febffd9c19e3967ac

New changes were made to handle this issue. Waiting on JimP comments.

Works great on the latest snapshot, thanks!