System -> Advanced Misc. Turn on MSS to limit the VPN traffic to 1400 (leave blank for this value). Fixed my issue. W00h00 :O)

The problem with it are the not supported synchronization of replay counter in FreeBSD.

I see… is there any quick and good guide about that? I tried also to make shrew client connect to a NOT-Mobile_clients tunnel to solve my problem, but I can't succeed. Is this possible in any way? I tried many configurations, and I can actually connect, but I always get this: racoon: ERROR: failed to get sainfo. racoon: ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1). So the problem should be about local and remote network. I set up a fixed address in shrew client and put the same as remote network and the pfsense lan subnet as local network. I'd like to know if I'm just wasting my time and should try openvpn or if I could solve it. Thanks!

@cmb: Seems you're probably better off posting in the Turkish board, what you posted doesn't make much sense in English and the users on that board can probably help better than us English speakers are able to. http://forum.pfsense.org/index.php/board,47.0.html What you're showing there is just the normal startup log, if that's all you have in your log, nothing is trying to initiate traffic that matches your configured IPsec panpa ben çoktan hallettim yinede teşekkür ederim,yardımların için

this is great!!! I hope this gets included as an option for ipsec clients!

http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0

It's almost the exact same config screens, match your settings appropriately as explained in the link above, configure rules on IPsec as desired, and that's all there is to it.

Well, it is probably too late for you, but I thought I should share my experience with pfSense and Shrewd VPN Client. On the pfSense side, I simply followed the exact instruction of http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0. On Windows7 I downloaded http://www.shrew.net/download/vpn/vpn-client-2.1.7-release.exe. Here are the configurations on the shrewd side, General Hostname: <the server's="" ip="" address="">Port: 500 Auto Configuration: ike config pull Address Method: Use a virtual adapter and assigned address MTU: Obtain automatically Client NAT Traversal: force-rfc NAT Traversal Port: 4500 Keep-alive packet rate: 15/Secs IKE Fragmentation: enable Maximum package size: 540 Bytes Enable Dead Peer Detection Enable Client Login Banner Name Resolution No WiINS/DNS server Authentication Local Identity   Identification Type: Key Identifier   Key ID String: vpnusers@example.com (or whatever you filled up for Peer identifier: User Distinguished Name when you set up pfSense server Phase1)   Remote Identity     Identification Type: IP Address   Credentials     Pre Shared Key:  aaabbbccc (or whatever you set up for Pre-Shared Key on the server side) Phase 1   Exchange Type: aggressive   DH Exchange: group 2   Cipher Algorithm: aes   Cipher Key Length: 128 Bits   Hash Algorithm: sha1   Key Life Time Limit: 86400 Secs   Key Life Data limit: 0 KBytes Phase 2   Transform Algorithm: esp-aes   Transform Key Length: 128 Bits   HMAC Algorithm: sha1   PFS Exchange: disabled   Compression Algorithm: disabled   Key Life Time limit: 3600 Secs   Key Life Data limit: 0 Kbytes Policy Policy Generation Level: unique Remote Network Resource   0.0.0.0/0.0.0.0 If you can verify this also works for you, it would be nice if someone could expand the Device Setup session of http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 to include Shrewd client. Hope this helps. Kang Sun</the>

Also wondering when this will be available. Been looking forward to this feature as a replacement for PPTP VPN. Slightly disappointed when i learned that L2TP+IPSEC was not supported.

Mobile IPsec works with pretty much anything except Windows' built-in client. You can install the Shrew Soft client to make it work there. OpenVPN works with pretty much anything except iOS.

You're overcomplicating it a bit. The dynamic DNS identifier type is only needed if that end is behind NAT and can't directly see its external IP. Just use the dyndns hostname in the peer address on the other side, and leave all of the identifiers set to "My IP address" or "Peer IP address".

Add multiple phase 2 entries, one for each local subnet. That is assuming you checked "Provide a list of networks" on the Mobile Clients setup, and you have Shrew set to Obtain the topology automatically.

Either one VLAN for each, or one separate physical network. Which depends on what kind of infrastructure you already have in place switch-wise. A /25 each or /24 each, doesn't really matter either way. Then firewall rules setup accordingly to isolate the networks.

ok.. thank you.. will try…  :)