Hi Mykey, Did you connect pfsense 2 your ISP using L2TP?

On my (retired, now openVPN) IPsec tunnels I had: My identifier: My IP address Peer identifier: Peer IP address …and some higher encryption as the main difference to your setup for phase 1, on first glance

THIS thread also has problems with IPSec and CARP. Likely the issue is related.

That seems like a routing issue. The IPsec tunnel will probably not know where the 10.0.0.0/8 network is, and so it can't send any traffic there. You will probably need to add another phase 2 setting to propagate 10.0.0.0/8

Check your settings again. The ZyWall and the pfSense are compatible, I have a tunnel working.

Anything I could try? I have never been able to get a successful ipsec connection, but openVPN is working.

It doesn't.

Thank you this noted for the future use !

I solved. I'm not sure that is this the problem but now is working. Change the My identifier with CARP IP.

There are not currently any methods of making "multiple" groups of IPsec users, nor any way of assigning them IPs from separate pools from the server. So you would need OpenVPN for that sort of scenario.

After working closely with the other end, we were able to get a tunnel going by not using NAT.  Once we removed that, and change their configuration accordingly, the tunnel came up. The only problem now, is that only their end can bring the tunnel.  Whenever my end tries to initiate the tunnel, it gives Phase2 errors.  The wonderful "NO PROPOSAL CHOSEN" error ID. Would anyone know what I'm doing wrong in this situation?  I have confirmed on their end that the tunnel is configured as Bidirectional, and should be able to be brought up from either end. Not sure if it matters, but I am connecting this tunnel to a Cisco ASA. Thanks, Daryl

I haven't done this by now, but in theory it should be possible. Till now I had no time to get deeper into this topic. I think, racoon is capable of this and can realize this. Just a thought: take a look into the racoon.conf and search the part of your current mobile client configuration. Duplicate it and modify the corresponding config. Problem: restarting racoon ends up in the "gui"-configuration (at least for my last test with modifying by hand) For persistent changes, the Filer package could be an option?!