permit in rule->ipsec ,then it's ok

Final testing on IPSEC issues: I have been using 1.2.3, 2.0.3, and latest snapshot as my SOURCE at home to connect to DESTINATIONS sites ranging from pfSense 1.2.3 to 2.0.3.  No problem connecting to 1.2.3 remote sites via IPSEC.  I finally reproduced consistently that destination must be 2.0.3 (perhaps the 2.x tree even ) for IPSEC connection to eventually time out; where connection still works but no routing or name resolution occur after second reconnect attempt (after several minutes). If my source is DD-WRT, it does not matter whether I am connecting to destination 1.2.3 or 2.0.3, it works always.  I tried all types of Shrewsoft client settings and pfSense settings (type of cipher, DPD, NAT-T, etc - results are the same).  You must restart racoon service to get back to normal. You can reproduce this IPSEC issue by being behind 1.2.3 - to current snapshot and you connect to a remote 2.x site using Shrewsoft VPN client and waiting to reconnect 5 minutes or later - you will lose routing and obviously name resolution.  From my readings here, this not only affects IPSEC client connections, but even IPSEC VPN Site to site (I have not personally tested this scenario).  I am done testing this - I am 100% certain of this issue.

OK - To me it seems that ipsec on an android device, particularly using the VPN that comes pre-installed is somewhat of a mystery to most.  So, since I bothered to solve my own problem and now have ICS Android working on my Android to my pfsense seemingly as well as my openvpn without any split tunneling or weirdness, I will share my experience and my deviations from previously posted how-too. This is not for point to point.  Point to point is talked to death. Not much different in what I've done compared to what is ALL OVER THE INTERNET, but it seems to matter alot. Phase1 Click "enable IPsec box Interface - WAN Description - A name you like Authentication method - Mutual PSK + Xauth Negotiation Method - aggressive My identifier - Dynamic DNS -  my-dynamic.address.net  (I chose dynamic because my home router uses dynamic DNS - My IP my work fine) Peer identifier - allmyusers@myownvpn.com  (make up a address if needed, but don't leave blank.  Its important) Pre-Shared Key - Make one up. I'll use kilrapplease Make it abit long but memorable.  (This is the ONLY pre-shared key that will go into your phone) Policy Generation - Unique Proposal Checking - obey Encryption algorithm - AES 128 Hash algorithm - SHA1 DH key group - 2 Lifetime - 86400 NAT Traversal - Enable Dead Peer Detection - Enable DPD Delay between requesting peer acknowledgement - 10 Number of consecutive failures allowed before disconnect - 5 SAVE Under Mobile Clients click  Enable IPsec Mobile Client Support box User Authentication - system Group Authentication - system Virtual Address Pool - click  Provide a virtual IP address to clients network - 10.80.12.0 / 24  (pick a address range not in use on pfsense, I suggest a /24) click Provide a list of accessible networks to clients click Save Xauth Password (probably makes no difference, but why not) DNS Default Domain - click Provide a default domain name to clients enter a domain name like - totallyipsecdomain  (just make up 1 thats not in use on your pfsense) DNS Servers - (I would enter 2)                       216.146.35.35  (this one is dyndns)                       8.8.8.8            (this one is google)    Its probably better to run your own dns server if you know how. WINS Servers - All blank and unchecked. Phase2 PFS Group - unchecked Login Banner - Welcome - You are now connected to my sick little world  (Or something else you like.  These pop up if you are using iphone) SAVE Phase II mobile client Mode - tunnel Local Network - LAN Subnet (or whatever subnet you want to reach.  Hopefully its one you use daily and has good firewall rules that work) Description - myphase2 (or some name you makeup) Protocol - ESP Encryption algorithms - AES / 128 / auto    (make sure the others are unchecked) Hash algorithms - SHA1 (uncheck MD5) PFS key group - off    (this will break your vpn if you turn it on and its not a option in your client) Lifetime - 28800 Automatically ping host - leave empty  (I'm wondering why I'd want to ping anything?  I cant see the results on my phone) SAVE Now, here is where the stuff I've read online sore of gets confusing/wrong. For this to work, you need to create/use a user on pfsense. Go to system > usermanager Create a new user (unless there is already a user there you plan to use) Give the user a username and a password and write those down. Ill use guyone and passwd4guy1 Give user a full name, leave expiration date blank, create a user cert if you like (useful for openvpn) IPsec Pre-Shared Key - enter a pre-shared key here.  just make up something a bit long  - YOU WILL NOT BE USING THIS ANYWHERE but its required. SAVE *********************You might need ************************ In pfsense you might need to make a MANUAL entry in firewall > NAT > Outbound If you use Manual outbound NAT, like me. Too allow the IPsec domain you made up (10.80.12.0 / 24 in this example) to see the web, you need to add an outbound NAT entry. Interface - WAN protocol - any Source - Network             10.80.12.0 / 24 (the number you made up anyway) Source port - leave empty Destination - any address - leave alone destination  - leave blank translation - Interface Adress port - leave blank Static port (I checked it to make it play nicer with MY SIP servers, but blank is fine usually) No XMLRPC Sync - unchecked Description  - Rulle to pass IPsec (word it how you like) SAVE *Remember, this rule might not be necessary if you use automatic outbound NAT (which I do not) Next firewall rule isn't optional. Firewall > Rules > IPsec add new rule Action - pass Interface - IPsec Protocol - any Source - any Destination - any Description - Allow all from IPsec (word however you like) SAVE Go to status > Filter reload Click home menu for pfsense again.  We should be done on the router. ******  The rest of this happens on your phone, tablet or whatever***** Now - grab your android phone, on cellular data please or network outside your own. Doing this on the same lan as your server won't prove anything and will likely cause conflict. On my ICS android phone its settings > vpn > more > vpn > addVPN select IPsec Xauth Server address = your DNS domain or pfsense's public IP (I entered my dynamic dns name here) for IPsec Identifier = use the email looking address you made up (I used allmyusers@myownvpn.com) IPsec pre-shared key (This is the one we made up while configuring the tunnel, not the one when we made the user / password.) I used kilrapplease For DNS search domain (I left blank) DNS Servers - (I entered 8.8.8.8    If there is one you prefer, use that) MEGA Important Forwarding routes - Set this to 0.0.0.0/0  (if you don't your routing will be split.  Half the time it will go around your VPN) SAVE Now connect to your VPN. Use the username for the user we created on pfsense and the password.  (I used guyone and passwd4guy1) If you have the option and you want, click the "save account info button", else you have to enter the username/passwd each time. Press connect. If your phone is anything like mine, you should have a working pfsense IPsec Tunnel VPN without flakey hit and miss routing now. I verified this by going to whatsmyip.org to ensure its showing as my home server IP and I went to one of my servers behind my pfsense using only its private IP address.  Both worked as expected…  FINALLY. I will add a section about the iphone after I catch some ZZZZZZzzzzs.

I assume the server is at Site A according to your diagram? Do you have a rule set up in firewall for the interface involved to pass traffic? Do you have a rule on the outbound NAT to pass the traffic on that domain to WAN? (I've noticed also, that links between two pfsense boxes seems easier and more sure fire than between pfsense and most other things)

Hi were you able to find a solution? I have the same problem: a customer needs me to have a different subnet as source IPs. I added a Virtual IP to my LAN Interface, the tunnel is up, they can ping my Virtual IP, but I am not able to reach their remote LAN from my LAN. I have been trying to change the NAT rules, but without success. Michele

@hongkonger: i am not sure how to setup if you can post your working config i can probably copy them, hopefully you pfsense is also behind a router lol NO I have the RV042 on one end DHCP from AT&T Uverse and pfSense on the other end Static Comcast..  An DNS Alias in the middle to resolve the IP for the RV042 end. But my config will not help you with this, it's more important that you line up the values between the RV and pfSense. –-------------

It's adjusting the IP to match the subnet mask you give it. That's normal.

Problem solved some of the remote IPs I tested do not have default gateway setup Easy as that!!!

A FreeBSD developer is asking me for backtraces, but they don't seem to be that informative. Aren't there separate binaries with debugging symbols that you are supposed to use when doing this? GNU gdb 6.6 [GDB v6.6 for FreeBSD] Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB.  Type "show warranty" for details. This GDB was configured as "i386-portbld-freebsd8.1"... (no debugging symbols found) (no debugging symbols found) Core was generated by `racoon'. Program terminated with signal 11, Segmentation fault. #0  0x080672a9 in ?? () from /libexec/ld-elf.so.1 (gdb) bt #0  0x080672a9 in ?? () from /libexec/ld-elf.so.1 #1  0x2854de48 in ?? () #2  0x00000000 in ?? () (gdb) quit

Hi Rudivd, I am trying to connect my Mac OS X 10.8 to pfSense 2.1 RC. Can you please tell me how to setup the connection? I following some setting from http://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To but not work. It show server no response and the pfSense logging "ERROR: exchange Identity Protection not allowed in any applicable rmconf." Thanks, Edward

Very strange now. Now I can see some Bonjour services from the remote side in Safari and in an app called Bonjour Browser. But they are not reachable nor can be resolved. It seems that some information come through the vpn tunnel but not all needed stuff. Any idea?

I took a stab at fixing this problem.  Details here: http://redmine.pfsense.org/issues/1351

Ah, didn't know any of that – thanks for the clarification. Good to know about the pings bringing up the tunnel!

Unfortunately there is no way to have a second mobile config, only one is supported. If you need the same one to answer on both WANs, you might be able to accomplish that by forwarding udp/500 udp/4500 and esp from WAN2 to WAN1, but that would most likely break any other non-mobile tunnels you also have on WAN2. Don't quote me on that though, pure speculation that it would even work.