DROP_CTINVALID ipsec Kerberos

How can I fix this?
I have an ipsec net2net tunnel between client and server.
Computer startup takes very long time due this.

Thanks and Kind Regards
Jaycee

Another IPFire which is gateway for the telecommunication also has such problem, see here:

192.168.115.54 cant directly reach 192.168.115.3 because of other subnet, thats why i created these following rules.

Maybe somebody can help me with the dropping packages, the users experience bad telephony availability and it must be fixed asap.

Here are the firewall rules:

I don’t understand your problem. 192.168.115.54 and 192.168.115.3 are elements of the same network 192.168.115.0/24 ( your green network, I suppose). So there should be no problem in communication, especially if they are connected to the same switch(es). They should communicate directly, without IPFire.

The SNAT messages are generated by you ( unnecessary ) SNAT rules with logging enabled.

I have a 192.168.112.0/22 and i have 192.168.115.32/27
grafik