Thank you for your reply! So is there a possibility at all to have an IPSec Tunnel handle a failover from DSL to UMTS in pfSense? At the moment it seems to me that you need two tunnels anyways, one for the DSL connection and one for the UMTS connection, but they would both need to terminate on the datacenter pfSense. But then, as soon as two tunnels are supposed to terminate on the same remote wan IP, it won't work, no? So it would be necessary to have at least two WAN ips on the datacenter pfSense?  ??? Isn't there a more elegant solution to handle a WAN failover in the office site - including the IPSec VPN that also can follow the failover? Thanks!

Ok - thanks for the information.  I'm newish to L2TP/IPSec, but I think I understand what pfSense supports now and what it doesn't.

Awesome. Thanks!

Probably because you're not really using L2TP, but L2TP+IPsec, and IPsec does static port outbound for udp/500, so the second client to try will probably fail. If the server doesn't mind a random source port, switch to manual outbound NAT and remove the static port rules for isakmp.

You'll hit some kernel memory limits at some point but not sure what that point is (no one has ever gotten that high), into thousands for sure and maybe much higher.

Yep. It may be worth a feature request in redmine to look into adding support for those to the GUI at some point though. Now that they are actually RFC compliant it may be useful to some people.

There is an open feature request ticket: http://redmine.pfsense.org/issues/1965 But there are no specific plans to make it happen in the near future. Unless someone submits a working patch, it's unlikely to be added in 2.1 at this point.

Solved it by adding a Virtual IP (Proxy ARP) in pfsense on the LAN interface for the remote side network!

If you can get the dyndns IP to follow the "active" wan then yes that would work.

@fsaltan: Hi all, I have similar problem. I set Ipsec VPN with pfsense and Checkpoint NGX R75.20, but I cant wake up VPN connection. You could see my configuration below. [image: Capture1.jpg] [image: Capture2.jpg] And, my ıpsec logs are like below [image: Capture3.jpg] Have can I achieve this problem?

ipsec-tools 0.7.2 is quite old. There have been a number of patches commited to ipsec-tools CVS since the release of ipsec-tools 0.8.0 a year ago, which may address the issues folks are seeing. The ipsec-tools repository is hosted at NetBSD: http://ftp.netbsd.org/pub/NetBSD/NetBSD-current/src/crypto/dist/ipsec-tools/ and the latest sources used from the CVS repository: cvs -danoncvs@anoncvs.netbsd.org:/cvsroot co ipsec-tools If anyone is considering building it for beta-testing, he should also apply any pfsense-specific patches: https://github.com/bsdperimeter/pfsense-tools/tree/master/pfPorts/ipsec-tools-devel

I've checked out the bug reports and haven't found any information that helped.  I've also been through the recommendations listed on http://forum.pfsense.org/index.php?topic=46917.0.  Still haven't found anything that works.  While digging around and trying out different setting I have noticed a couple of other things though. When I tell Cisco wireless router to connect it shows a status of up. I can see the connection initialized in the IPsec logs on my pfSense box. But if I look in my state table I don't see the client listed as I do with my other VPN tunnels that are working. Also when looking under the system logs I see the following error "php: /vpn_ipsec.php: Could not determine VPN endpoint for 'Mobile Client Access'".

Generally speaking one option to resolve addressing conflicts would be to NAT before VPN.

Post 'sainfo' section from your /var/etc/racoon.conf