In your Phase 2 settings under Advanced Options set an address on the remote network to be pinged. This may allow the tunnel to re-establish after it disconnects. Try adjusting the settings of dead peer detection in Phase 1 or disable it completely and see what happens.

It seems like there is traffic being blocked by the IPSec tunnel. Try doing packet captures to trace where the packets are getting to. That way you'll be able to see which part needs to be troubleshooted.

Update (18/12/2013):

I just set up a mock network using VMware with two pfSense boxes and a DC behind one and a windows 8 client behind the other. The client authenticated fine over the IPSec tunnel I set up. There must be something you are doing wrong. I suspect it's a DNS issue.

What IPSec client are you using?

Do you mean restrict access from remote IP's connecting to your mobile VPN or restrict access within the mobile VPN to other networks?

Just set up another phase 2 entry on the site-to-site VPN on the IPSec endpoint that your mobile users connect to using your mobile VPN subnet as the local subnet.

Depending on your IPSec client there should be an option to automatically route all traffic through the VPN. You will need to add an outbound NAT rule for your IPSec subnet.

I continued my query here on Reddit: http://www.reddit.com/r/PFSENSE/comments/1s8v4s/mss_clamping_not_apparently_working/

Any ideas as regards the general nature of my blackhole and how to eradicate or work around it?  I'm still trying to work out whether it's an issue with my Infinity line or my virtualised PFsense router on the end of it, although replacing the PFsense instance made no difference.

Should be possible in 2.1 (I haven't tested it yet)

Dec 4 21:42:09    racoon: ERROR: HASH mismatched

Your P1 hash type is mismatched on pfSense and the Cisco router. Post your Cisco config and pfSense Phase 1 config here.

Packages would not touch that. There aren't any that would replace the racoon binaries.

The safest way forward would be to backup your config, wipe/reinstall 2.1, and then restore your backup.

Hello

Look at this thread

http://forum.pfsense.org/index.php/topic,24463.msg127009.html#msg127009

Just an update:

I managed to get the Phase2 settings correct, (tunnel is up and happy) but the NAT/BINAT doesn't seem to work.

I wanted my internal subnet 192.168.2.x NAT to 10.148.20.96 / 27 and use the IPSec tunnel for accessing 10.x.x.x on the clients side. No NAT is taking place, and packets go out on the WAN instead of being NATed and sent through the IPSec tunnel :( So either I'm doing something wrong (most probably) or pfSense is not doing the NAT properly.

So, in the end I had to revert to setting up the (so far) unused opt2 network, using the subnet required by my client, configure DHCP to only give out addresses in this subnet range, connect a Wifi Acess Point, and connect the computers which need access to the VPN to this Wifi AP (while still using cable for normal LAN+Internet), and finally setting up static routes on the computers for accessing the 10.x.x.x VPN over the Opt2 interface.

Really a shame having to complicate things like this, when it would have been so much more convenient using the NAT capabilities of pfSense. If anybody has any idea of what I did wrong, you're welcome to share  ;)

Cheers,
Dan

Thank you guys for your answer

Hello,

As it happens, I have been getting these messages in my ipsec logs:

failed to pre-process ph2 packet [Check Phase 2 settings, networks]

but never could figure it out.  I also noticed that on the shrewsoft vpn trace program that Security associations would only show up in "larval" state, and shortly be removed from the table.

I have been playing with things and found this thread: http://forum.gta.com/forum/user-community-support/how-to/190-shrewsoft-vpn-client-problem

This version of shrewsoft (2.2.2) has an additional thing to configure on the policy tab: change Policy Generation Level to "unique" and it works: the connection establishes correctly and my formerly  "larval" entries change to "mature" and remain in place.

If I come back in the next couple of days and close this thread, it is because this solved my problem.

–jason

For IPsec, you need to allow:

You need only allow those from your remote IPsec peers and not the world, unless you use mobile IPsec tunnels.

Hi all, my enviroment is a little different. In my conf I nat to a single address. Is a "one-way" configuration.

I never tested the configuration with the bi-nat. (nat of entire network)

I confirm that works fine, with nat on single addres, and a fortinet gateway on the other side.
I add that works fine with 2 phase2, with different source networks. This is needed to grant access also from openvpn roaming users.

Can I help you little more if you send the real configuration and the log with racoon in debug mode.

Bye

DavideDB

OpenVPN not working… IPsec not working... PPTP not working... No help, no metter. I downgraded to 1.2.3 and it works perfectly...

Thanks for taking the time to walk through it with me.  Much appreciated.

@andmattia:

Phase 1 go up ok but when I try to start tunnel on phase 2 it doesn't work
ERROR: error message: '"Could not find acceptable proposal $ '.
ERROR: notification NO-PROPOSAL-CHOSEN received in informational exchange.

Could it be, that some your proposals in phase2 (crypto and hash) are different/wrong? All phase 2 settings should be configured identically …