Yeah thought about that, but then I encountered a reset of all IPSec tunnels after just adding a CARP VIP on a fully independent new VLAN that isn't physically or logically envolved with any of the tunnels. Just adding the VIP brought down all IPSec tunnels. Seems kinda strange to me.

Hi, thank you for your reply! I rebooted twice and still in log and in ipsec showall. There is no entry in the config.xml of that last client anymore. Reboot didn't´t help :/ Any more ideas?

Update #2 This issue is still unresolved. However, I was able to properly configure the Zyxel to auto connect (its incoming VPN) whenever it determines that a connection is required. I would still appreciate if any suggestions can offered on why the pfsense can't connect to the zyxel but the zyxel can connect to the pfsense.

Have you enable traffic to flow in the firewall rules? There is a separate FW rules section for IPSec channels.

:-[ just realised I'm doing this on a test pfSense, not my live one so the IP address I was trying to ping was wrong. Once the VPN is active I can ping the test pfSense box and a client in that IP Range. Connect seems stable for the last few minutes. Couple of queries… Should I be able to ping the VPN user from the LAN or pfSense box ? I can't. When the VPN is connected the VPN user doesn't have internet access. If I remove the 'use default gateway on remote computer' then they do get Internet access but nothing across the VPN. Is it possible to have VPN traffic go across the VPN, but other traffic go out via the VPN users own Internet ? Thanks

Thanks jimp. This answer helped me resolve our issues with Mac's not being able to connect (and also Windows clients needing to disable the EKU check). When I created the Server Certificate initially I had used one address in the Common Name and a different one in the Subject Alternate Name. I created a new key with the Common Name and SAN matching (in System > Cert. Manager > Certificates) and then changed the certificate being used in the Mobile IPSec Phase 1 entry (VPN > IPSec > Tunnels > - Edit the Mobile IPSec Phase 1 entry - My Certificate). Everything now works perfectly for both Mac and Windows (without the registry setting change). Much appreciated. Perhaps it's worthwhile providing some more info in the documentation about why the IKE auth error occurs as well as providing the EKU Check registry hack to get around it. Thanks again, we can now move from PPTP over to a secure VPN technology. :)

I maybe facing these same errors. Does the connection work if you attempt to connect from the Cisco firewall?

An unmodified Windows up until 10 can use the following for Phase 2 (ESP): ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ As you can see there is no option for SHA256 at this place to choose. It is questionable if this is a real problem because SHA1 is used for integrity in this context, so the upmost would be to send invalid (random) data which claim to be valid. The encryption (confidentialy) should not be broken because of this. You might also try the NegotiateDH2048_AES256 registry key to get more modern ciphers to choose from. Regards Andreas

did we have any other idea?