I assume your firewall isn't blocking this? Does a packet capture show the incoming connection?

Any ideas on this guys?

If not, any suggestions on better tutorials or setups to use to give a MAc user L2TP/IPSec connection into the firewall? It just has to be dial-in, we cant use a site to site for him.

A good dynamic DNS provider will give you a TTL of no more than 30 seconds, and usually only 10 seconds or so, and updates are reflected immediately so the largest delay possible is the TTL. A public IP change is pretty disruptive already, so generally ~10 seconds pretty acceptable (where it isn't, you should be paying for something with a static IP). If it's the typical forced daily PPPoE reconnect, that can be scheduled at a time where disruption is minimized. Then using a better dynamic DNS provider would take care of the worst of the remainder.

There isn't an easy way to update unbound like you're wanting. Its TTLs default to an hour, so doing that would actually make it worse.

@jimp:

IKEv2 is the answer. Nobody wants to work on L2TP/IPsec in strongSwan since it's dying off and has issues with NAT.

Ironically the quoted website, raymil.org recommends exactly the same:

No L2TP?
The previous tutorials all used L2TP to set up the VPN tunnel and use IPSEC only for the encryption. With the IKEv2 protocol and recent operating systems (like OS X 10.8+, Android 4+, iOS 6+ and Windows 7+) supporting IKEv2 we can also use IPSEC to set up the tunnel, before we used IPSEC to do that.

This VPN will therefore not work out of the box on older operating systems. See my other tutorials with L2TP on how to do that.

Office Internet uplink to Cisco Switch, Switch to Netscreen firewall WAN , switch to another HP Switch(Layer 3), Switch to PfSense WAN

In some cases a small network draw would be nice to understand it really like you mean it.

I had a similar issue with connections to an ASA, what fixed it for me was checking the disable rekey box in the Phase 1 settings, and I also had issues with Unique IDs at some point so I configure my boxes with "Configure Unique IDs as:" set to No under Advanced IPSec settings.

Yet ironically, some other vendors won't support fqdn on ipsec tunnels, even though they will support a dynamic endpoint. [glares at Palo Alto]

It's incredibly annoying as it means you are forced to run aggressive mode, which strongswan doesn't like (for understandable reason).

I can't wait until I can get my PAs on v7, which finally adds IKEv2.

OpenVPN worked like a charm. Bye bye PPTP.

Carlos

Hi

Maybe take a look at my post

https://forum.pfsense.org/index.php?topic=104680.0

This my be related to your problem with Shewsoft

Thanks

I've had the same issue (in 2.2.5), Azure tunnel seemed to be up, but no traffic. I think i have solved this by setting the PFS key group setting in the phase 2 configuration to Off. The tunnel has been up and functioning well for a week now. I'm not sure if this has any security implications though

@cmb:

That's exactly what I said - the one with the xauth options is a mobile P1, the one without is a site to site P1. It's correct, you're trying to edit/create the wrong thing. Edit the mobile P1, or if you don't have one, go to the mobile clients tab and add one.

Ah I found it. Seems that you can only get to it from another option and it isn't directly available right from that menu. have to add mobile=true to the url if you wanted to access P1 mobile directly.

Ok.  I hate replying to my own topic, but incase anyone else is having this problem, I thought I would update status…

I found out it is indeed an IOS issue....  I was running IOS 9.0.2... 
Updated to latest IOS 9.2 and it solved the problem.