I deleted my 'Mobile Client'  under Tunnels, then went to 'Mobile Clients' tab and saw that "Create Phase 1" option was available. I re-created Phase and Phase 2 and the vpn worked again. Cheers VPN: IPsec: Edit Phase 1: Mobile Client Key Exchange version  V1 Internet Protocol      Ipv4 Interface  WAN Description Mobile Client Authentication method  Mutual PSK Negotiation mode  Aggressive My identifier  My IP Address Encryption algorithm  AES 256 Hash algorithm    SHA1 DH key group  2 Lifetime  28800 NAT Traversal  Force Dead Peer Detection  Enable  /  10  /  5 VPN: IPsec: Edit Phase 2: Mobile Client Local Network  DMZ  (mine is DMZ but yours might be LAN) Protocol  ESP Encryption algorithms  AES 256 (only) Hash algorithms    SHA1 PFS key group  2 Lifetime  3600

I deleted my 'Mobile Client'  under Tunnels, then went to 'Mobile Clients' tab and saw that "Create Phase 1" option was available. I re-created Phase and Phase 2 and the vpn worked again. Cheers VPN: IPsec: Edit Phase 1: Mobile Client Key Exchange version  V1 Internet Protocol      Ipv4 Interface  WAN Description Mobile Client Authentication method  Mutual PSK Negotiation mode  Aggressive My identifier  My IP Address Encryption algorithm  AES 256 Hash algorithm    SHA1 DH key group  2 Lifetime  28800 NAT Traversal  Force Dead Peer Detection  Enable  /  10  /  5 VPN: IPsec: Edit Phase 2: Mobile Client Local Network  DMZ  (mine is DMZ but yours might be LAN) Protocol  ESP Encryption algorithms  AES 256 (only) Hash algorithms    SHA1 PFS key group  2 Lifetime  3600

I deleted my 'Mobile Client'  under Tunnels, then went to 'Mobile Clients' tab and saw that "Create Phase 1" option was available. I re-created Phase and Phase 2 and the vpn worked again. Cheers VPN: IPsec: Edit Phase 1: Mobile Client Key Exchange version  V1 Internet Protocol      Ipv4 Interface  WAN Description Mobile Client Authentication method  Mutual PSK Negotiation mode  Aggressive My identifier  My IP Address Encryption algorithm  AES 256 Hash algorithm    SHA1 DH key group  2 Lifetime  28800 NAT Traversal  Force Dead Peer Detection  Enable  /  10  /  5 VPN: IPsec: Edit Phase 2: Mobile Client Local Network  DMZ  (mine is DMZ but yours might be LAN) Protocol  ESP Encryption algorithms  AES 256 (only) Hash algorithms    SHA1 PFS key group  2 Lifetime  3600

It looks like DPD is the problem. Disabled it on 15 tunnels (both sides). All 15 connections are stable for at least a day now. DPD is still active on the "Strongswan" boxes. Not having any problems with them.

I have test result. Client PC –> Pfsense 2.2.6 --------IPSec IKEV2------------> Remote Pfsense 2.2.6 IPSec VPN Server This is will failed and get error code 809 Client PC --> Mobile Hot Spot Internet Share ------IPSec IKEV2 ----------> Remote Pfsense 2.2.6 IPSec VPN Server This is can connect it. I don't know why my client under pfsense 2.2.6 will failed.But it's can connect if Client PC under ip sharing or mobile hot spot. How to check it?

Configure your IPsec logs as shown here: https://doc.pfsense.org/index.php/IPsec_Troubleshooting#Common_Errors_.28strongSwan.2C_pfSense_.3E.3D_2.2.x.29 And then post (in a code block or attached .txt file) the logs generated by a connection attempt. It may be a good time to upgrade yourself to an IKEv2 VPN rather than the old-style IPsec, too.

That GRE method is very interesting to me. First time I have seen it. Are there any MTU issues with it?

The first matching P2 would be the only one that would apply. You're right in that scenario is almost certainly something you'll never need to use, as if you can't get from B to A, then either C won't be able to get to A either, or B won't be able to get to C, so probably a moot point. What you can do is configure a disabled P2 to do that routing from B to A via C, then if you happen to get into a situation where you can't get from B to A but can get from B to C to A, then disable the B to A matching P2 and enable the B to C and C to A ones. Manually disabling and enabling would be necessary in that case.

I assume your firewall isn't blocking this? Does a packet capture show the incoming connection?

Any ideas on this guys? If not, any suggestions on better tutorials or setups to use to give a MAc user L2TP/IPSec connection into the firewall? It just has to be dial-in, we cant use a site to site for him.

A good dynamic DNS provider will give you a TTL of no more than 30 seconds, and usually only 10 seconds or so, and updates are reflected immediately so the largest delay possible is the TTL. A public IP change is pretty disruptive already, so generally ~10 seconds pretty acceptable (where it isn't, you should be paying for something with a static IP). If it's the typical forced daily PPPoE reconnect, that can be scheduled at a time where disruption is minimized. Then using a better dynamic DNS provider would take care of the worst of the remainder. There isn't an easy way to update unbound like you're wanting. Its TTLs default to an hour, so doing that would actually make it worse.

@jimp: IKEv2 is the answer. Nobody wants to work on L2TP/IPsec in strongSwan since it's dying off and has issues with NAT. Ironically the quoted website, raymil.org recommends exactly the same: No L2TP? The previous tutorials all used L2TP to set up the VPN tunnel and use IPSEC only for the encryption. With the IKEv2 protocol and recent operating systems (like OS X 10.8+, Android 4+, iOS 6+ and Windows 7+) supporting IKEv2 we can also use IPSEC to set up the tunnel, before we used IPSEC to do that. This VPN will therefore not work out of the box on older operating systems. See my other tutorials with L2TP on how to do that.

Office Internet uplink to Cisco Switch, Switch to Netscreen firewall WAN , switch to another HP Switch(Layer 3), Switch to PfSense WAN In some cases a small network draw would be nice to understand it really like you mean it.

I had a similar issue with connections to an ASA, what fixed it for me was checking the disable rekey box in the Phase 1 settings, and I also had issues with Unique IDs at some point so I configure my boxes with "Configure Unique IDs as:" set to No under Advanced IPSec settings.

Yet ironically, some other vendors won't support fqdn on ipsec tunnels, even though they will support a dynamic endpoint. [glares at Palo Alto] It's incredibly annoying as it means you are forced to run aggressive mode, which strongswan doesn't like (for understandable reason). I can't wait until I can get my PAs on v7, which finally adds IKEv2.

OpenVPN worked like a charm. Bye bye PPTP. Carlos