Dear doktornotor, Thank you very much, that did it! I did rebuild the certificates so that the "O" field does not contain a space to avoid that facet of complexity and than things did just work fine. Regards, Michael

For a domain override, the IP address you give is a remote DNS server that will respond with the correct IPs for items inside of that domain. If that is across a VPN, especially IPsec, you may also need to fill in the source address box for the domain override as your LAN IP

anyone could help??

This is broken again in 2.1.2

What about the proxy-id (encryption domain)? The cisco products checks the presence of the proxy id, unlike other vendors as Fortinet or Juniper. Could you post your Phase 2 entries?

@opalit: As it happens I have downloaded that one. When I did a search on OpenVpn in the app store, dozens came up. Most were probably vendor-specific.  There's a lot of VPN providers who made their own app.  You can only use those with that particular vendor.

Hooray!

So, like… how about posting the contents of /var/etc/ipsec/racoon.conf file?

I have been having the same problem. When I just connect my Netgear router, all works well.

None of that really applies to Mobile. There isn't a way in IPsec currently to restrict access for a given IP/PSK in the way you're after. If this is for site to site, use individual tunnels, not mobile. If it's for mobile clients, the Phase 2 entries are only really used if you check the box to supply a list of networks to the client, and then only if they obey that list. Mobile setups let the client specify what they want to send, the server can't really restrict that (except with firewall rules)

Thank you dotdash! I didn't cross my mind that I could set the source subnet (our side) to the customer's server (/32) instead of the subnet. And I will have a look at NAT too.

Hello iamzam, thanks for your reply. I've added the rule to allow AH but it also didn't work.

…and with that response, I honestly figured it out.  Sheesh!  Why didn't I remember to allow UDP across my tunnel?  DNS works fine now.  Thanks!

Follow up: When debugging and redacting previous post I've disabled a second IPSec tunnel (one for point-to-point VPN, not mobile clients) and now mobile client access seems to work just fine (using Shrew Soft VPN Connect software and builtin iOS client). ("Unknown Gateway/Dynamic" log message is still there though) I'll look into the settings of this second tunnel later (time to confirm that at least everything is OK with one tunnel).

@kapara: Been doing some research on AESNI and it looks like even using a corei5 proc can provide significant improvement.  Anyone test AESNI on pfsense yet? Yes, don't bother.  AES-NI makes no difference at this point, though I wouldn't buy a CPU without it as better support is in the pipeline.

I would suggest checking that you have correctly specified the Search Scope and Base Containers properly. PM me if you still have troubles - I have the Microsoft AD part of IPSec working, but now I'm getting asymmetric routing I suspect. :(