I am having issues as well. 2.0.0 <--> 2.0.3 works fine. Upgraded to 2.2.1
and the connection always fails within 24 hours.

Please let me know how the 2.2.1 x 5 setup works.

Executive summary: no.

Here's what I did:
- created/applied tunable at both ends
- turned off our server's "keep VPN alive" pinger
- on my end, pressed the "disconnect" button for the 2.2.1-to-2.2.1 VPN (in Status -> IPsec)
- Status -> IPsec "immediately" indicated that the 2.2.1-to-2.2.1 VPN connection was established (this is always the case ... it sort o' fibs)
- started a once-per-second ping from my system (to the pfSense box at the other end)
- the first 88 pings were unanswered
- the VPN was "really connected" at about 89 seconds
- killed the pinging at about 103 seconds (and typed this stuff up, up to here)
- ran the pinger, again ... 7 successes ... interrupted the ping process
- waited about 3 minutes (remember, right now there's no other traffic across this VPN)
- ran the ping, again ... connection down, 34 pings unanswered
- VPN connected at about 35 seconds
- let the ping run for another minute ... stayed connected
- interrupted ping process
- waited about 3 minutes
- ran the ping, again ... connection down, 143 pings unanswered
- VPN connected at about 144 seconds

So far, I'd say that this change had zero effect. This appears to be the same behavior as though the tunable wasn't there.

Next, I did the following:
- pinger still running, VPN still connected
- pressed the "Restart IPsec service" button (Status -> IPsec) on the pfSense at the other end
- one ping slightly longer response, but no pings lost
- pressed the "Restart IPsec service" button (Status -> IPsec) on the pfSense at the my end
- one ping with no response but connection stayed up -- interestingly, Status -> IPsec reported an "established" time that indicated the original connection duraion (i.e., seemingly indicating that the restart didn't create a new connection)
- killed the pinger as I typed this stuff
- about 6 minutes later, ran a ping and the connection was still alive
- interrupted the ping after 7 pings
- waited about 3 minutes
- ran the ping, again ... connection still alive!
- I stopped the ping
- I thought that looked quite promising so, as a more rigorous set of tests, I was going to restart the pfSense box at the other end and completely stop, then restart the IPsec service at my end ... I typed that info in as my next steps
- however, when I went to access the pfSense box at the other end, about a minute later, the VPN was down
- I fired off another ping ... 126 pings unanswered
- VPN connected at about 127 seconds

Next, I did the following:
- rebooted the pfSense box at the other end
- stopped the IPsec service at my end
- waited long enough to ensure that the pfSense box at the other end had ample time to reboot (please!)
- started the IPsec service at my end
- started a once-per-second ping from my system and attempted to access both the pfSense box at the other end of the 2.2.1-to-2.2.1 VPN and the one at the other end of the 2.2.1-to-2.1.5 VPN
- got the pfSense box at the other end of the 2.2.1-to-2.1.5 VPN with about a 1 second delay, as "always" -- yes, experience with the previous IPsec does create high expectations! #;-))
- 54 pings unanswered
- the 2.2.1-to-2.2.1 VPN connected after about 55 seconds
- typed this stuff up and ran another ping (about 3-4 min. later)
- connection still up ... stopped ping
- waited about 3 minutes
- ran ping ... 30 pings unanswered
- VPN connected at about 31 seconds

In spite of a moment's promise, looks like this change no net effect. [hey, had to get in at least 1 pun]

FYI, since I implemented the pinger script on the server, I've accessed the pfSense box at the other end about 20 times and the VPN has been up every time. Without the pinger, I could count on it always being disconnected and having to wait .5 to 1.5 minutes for it to connect, after attempting to send some traffic.

While testing the previously discussed "stalling connections" with v2.2.1 IPsec -- which still exist with v2.2.2 (expected as the release notes give no indication of a fix) -- I noticed (what I suspect is) a new bug (https://redmine.pfsense.org/issues/4640).

After updating from 2.2.1 to 2.2.2, in VPN -> IPsec -> Advanced Settings, the check-box setting for "Disable Cisco Extensions" now toggles whatever the setting was for "Auto-exclude LAN address" and the checkbox for "Auto-exclude LAN address" ignores any attempts to set it on it's own.

Question

The "Auto-exclude LAN address" has an explanatory line of
---
Exclude traffic from LAN subnet to LAN IP address from IPsec.
---
which can be interpreted multiple ways (which LAN, local/remote? and which IPsec, server/client? ... or both?).

Since there's nothing on the associated WiKi help page, could someone provide a more detailed explanation of what this setting does and/or should be used for (and the default setting)?

Re: https://www.netgate.com/blog/dns-over-tls-with-pfsense.html
---
Applying the suggested "Custom Options" to the Unbound/DNS Resolver configuration in pfSense 2.2.6 does not work, with logs indicating that "forward-ssl-upstream" is invalid.

I tried various incantations using "server:<newline>ssl-upstream: yes" with and without "ssl-port: 853" and, although the unbound service would then run, a DNS/host query always indicated that no hosts were found.

Does anyone know a configuration that will work with pfSense 2.2.6?