It finally works as I want to.  Know why people keep trying for days.  There are some key issues missing on faq / doc / tutorial. PFSense mobile ipsec vpn setup is somewhat like server and client and it suggest using aggressive mode due to unknown client ip.  But some other doc said aggressive mode does some plaintext communication.  I cannot totally understand but my setting below works in main mode: IPCop settings towards the tutorial server side.  It doesn't matter there is no separate setup page for mobile client and pre-shared keys. PFSense setting as client.  PSK in tunnel phase 1 page, that is sufficient. IPCop's ID example is @domain that is key difference with PFSense that can be user define.  However in PFSense putting @domain with define as dist.name simply cannot save settings.  Username is ok, but racoon/PFsense somewhat looking for IPs when in main mode.  So type define as non-IP is somewhat broken there.  It looks impossible to re-setup the IP/ID  every time as dynamic.  Finally comparing IPCop with PFSense - the ID can be user define like shared keys.  Fixed fake IP address there finally works. Pluto/IPCop just send ID field no matter what's in it, but racoon needs IP-like string no matter type is defined in the setup page. Some help on web says PFsense need another rules aloow * * for the IPSec tunnel and IPCop automatically fix the route table.  I try deleting that and it still works.

Hi, I see this good document on "How to set up IPsec tunneling in PfSense 2.0-RELEASE for road warriors". I just want to use RSA-signature and not PSK (pre-shared key). In this case, seek 1 tutorial on: How to set up IPsec tunneling in PfSense 2.0-RELEASE (or PfSense 1.2.3)  for road warriors using RSA-signature. Regards !

I hope everyone follows my example and posts solutions to frustrating problems they encounter like I am doing (even if they do not receive any help). To resolve this issue disable NAT-T (when pfsense holds the public IP). If that still does not help disable DPD and set 'Negotiation Mode' in Phase 1 to main (pfsense is at both ends in my scenario).

This might be my issue as well, I'm running a CARP setup with a pre-existing IPSec VPN and would need to connect to that using PPTP and then access resources across the IPSec VPN. Doesn't work for me either, never thought it might be CARP-related.

Hi dhatz, That's what I'm trying to do also. Although I'm able to ping all hosts, I've an issue when I try to access a webpage. See my other post : http://forum.pfsense.org/index.php/topic,41522.0.html. Feel free to ask question about the conf if you need help.

I think that the following link is the answer for my problem in freebsd but how to do it in pfsense ? http://www.mail-archive.com/misc@openbsd.org/msg80590.html Stephane

Any chance we could get some status on this issue? This is a huge feature to have. Thanks  :-*

Awesome mate. That worked perfect. I did search I swear I just didn't come across that link. Appreciate it.

Thanks for the information.

Could the builders of pfsense help me pls.

@ferret: crypto isakmp key ABC123 address 203.XXX.XXX.XXX no-xauth that was the difference, when looked very fast preview

You need multiple phase 2's for each possible combination, such as: Client -> Server LAN Client -> Server Static Route Net 1 Client -> Server Static Route Net 2 Client -> Server Static Route Net 3 […]

@alexis.olivier: Hello everybody, I have two pfSense boxes running with 2.0RC3 in the same network. I tried to make an IPSec transport connection between them. The IPSec works well (racoon gets its connection established), but the problem is that all traffic going through enc0 is blocked by "Default deny rule IPv4", despite a firewall rule has been added to pass all the IPv4 traffic (tcp/udp) coming through IPSec interface (enc0). This rules is evaluated (evaluations counter grows up in pfctl -v -sr), but no packets is allowed. Did i forget something ? Thanks in advance for your answers ! Hi, Did you resolve this issue yet? Cheers

if remote gateway is down, for example, multi-WAN cannot solve the problem. it is solved if pfsense can connect to a secondary remote gateway.