Hi, I have the same scenario, but my IPSEC tunnel is not working, bernikm can you help me posting your config? Thanks

Hi, did you find any suitable solution to your issue? I think I'm in the same situation (please see my post "Failover not working" in the IPSEC section), but since Ssptember I have not a single comment.  :(

Hi, did you find any suitable solution to your issue? I think I'm in the same situation (please see my post "Failover not working" in the IPSEC section), but since Ssptember I have not a single comment.  :( It seems nobody knows about this problem, except we two.

Ok, problem solved. How I missed it, I don't know, but the problem was DNS. I forgot to add UDP to the IPSec rule on the firewall. Doh!  :-[

It's exactly like a normal site-to-site IPsec setup, but the dynamic site needs a DynDNS host setup, and the other end uses that for the remote peer address.

I have the same problem. I haved stablished the tunnel, and from pfsense the ping return. I have presented a different network to mine. but not how to do NAT. Can you give an example? Please example my configuration Phase 2 Local network (UP) 192.168.1.2/32 local network nat (down) 10.0.0.2/32 remote network 10.22.0.0/20 Thanks,

@starkiller:         my_identifier keyid tag "VPN";         peers_identifier keyid tag "VPN"; I know this a reply to an old post but I think the my_Identifier KeyID tag should be different to the peers_Identifier KeyID tag.

I think I am having the same problem. I added a second WAN (ATT) and changed the default gateway to the new ISP (ATT) and modified the rule for ipsec to use the SONIC gateway. When the default is set to ATT mobile IPSEC fails. When the default is set to SONIC it has no issues.

Check at Untangle, must be something block IPSec tunnel to establish

This morning's results. Remember, this is a real-world network, not a lab situation. (So fun to watch…)  

Look a this one, Following my actual setup and the basic setup you want to achieve (lan gaming), it should work fine. Be aware of well understanding subnets and what "using a different subnet" for mobile clients means" If you'r using the default 192.168.0.1 configuration and the subnet mask is 255.255.255.0, using 192.168.4.1 IS NOT A VALID DIFFERENT SUBNET. you can have a look at my actual personnal config in this post:  https://forum.pfsense.org/index.php?topic=83781.0 my second post show print screens of a "partially working" config (you will understand if you read it all). Zikmen

I think we would need some more explanation about that But all routed subnet on the Pfsense LAN can be join on he remote peer (ASA) Since a sentence cannot begin with "but" and also if the pfsense lan "can" be joinED, where is the problem exactly? Can we have more details about your diagnosis step by step. Zikmen

Hello Snort, I had to pass through the trail you'r actually walking only two weeks ago. you can find my actual and working configuration on my second reply on this post. https://forum.pfsense.org/index.php?topic=83781.0 Give me some news about it. Zikmen

So, since everybody had a look at my post but nobody awnsered, i did my homework myself. I changed some settings around my subnet (now, i understand how subnetting works) and i can connect mobile devices to the vpn through the shrewsoft vpn client. Each mobile client can ping workstations located on the main site and each workstation can also ping back and browse mobile computers. BUT  mobile clients cannot browse or ping each others. Mobile client 1 cannot ping mobile client 2. Also, when using the PfSense ping utility located in the diagnostic tab, Pfsense cannot ping mobile clients. Maby there is something that need to be adjusted in routing or nating to connect the "mobile client subnet" with the subnet where workstations and pfsense belongs to. Some more pictures attached to explain the problem. if someone can help. Thanks. Tommy [image: 1.PNG] [image: 1.PNG_thumb] [image: 2.PNG] [image: 2.PNG_thumb] [image: 3.PNG] [image: 3.PNG_thumb] [image: 4.PNG] [image: 4.PNG_thumb] [image: 5.PNG] [image: 5.PNG_thumb] [image: 6.PNG] [image: 6.PNG_thumb] [image: 7.PNG] [image: 7.PNG_thumb] [image: 8.PNG] [image: 8.PNG_thumb] [image: 9.PNG] [image: 9.PNG_thumb] [image: 10.PNG] [image: 10.PNG_thumb] [image: 11.PNG] [image: 11.PNG_thumb] [image: 12.PNG] [image: 12.PNG_thumb] [image: 13.PNG] [image: 13.PNG_thumb]

Seems to be a bug in the NetGate Theme.  I just noticed that all other themes show my tunnel up in the IPSec Status page as expected, but the NetGate Theme shows a blank status.

@miken32: Try using 0.0.0.0/0 in phase 2, in local network, type network. It will route everything including internal dns. To make it work with iOS 7.2.2, here's what I've done: phase1: Exactly your config but using Mutual rsa+xauth. My/peer identifier: ASN.1 My cert: create a certificate for the user you want My cert auth: Create a cert authority in pfsense. everything else just like yours. Don't forget to put certificate in user. If you need more details, just ask.