Installing ShrewSoft VPN Client again seems to have solved the problem. No idea what happened.

Does anybody have an idea? Last week we reinstalled the pfsense with the backup of the current configuration. We have still this problem. Is there another way to check the racoon configuration? Best regards, Trexman

check phase 2 in side A

Hi Midnight_Shadow, Thanks for Reply. I succeed establish NAT before IPSec on Both sides without problem.  :D The problem was on my IPCOP on Site B. My firewall established connection on SonicWall using Nat Over Ipsec. If anyone need more information, let me know.

I've seen similar errors when there is a mismatch on negotiation mode (aggressive and main) Check your settings and if everything is correct on both sides try rwalker's suggestion and recreate the tunnel.

Hello, Have you already given up? I've configured IPSec site-to-site VPNs between Cisco 1841 & 2801 routers, and between the Cisco 2801 router & a pfSense firewall. Maybe we can try to find a solution, if you agree. Thanks.

Is there an updated document for this? The below link is for version 1.2…. https://doc.pfsense.org/index.php/IPsec_between_pfSense_and_Cisco_IOS Does anyone currently have ipsec working with the latest release between pfsense 2.1 and a Cisco ISR? If so, could someone post both configs if possible?

In your Phase 2 settings under Advanced Options set an address on the remote network to be pinged. This may allow the tunnel to re-establish after it disconnects. Try adjusting the settings of dead peer detection in Phase 1 or disable it completely and see what happens.

It seems like there is traffic being blocked by the IPSec tunnel. Try doing packet captures to trace where the packets are getting to. That way you'll be able to see which part needs to be troubleshooted. Update (18/12/2013): I just set up a mock network using VMware with two pfSense boxes and a DC behind one and a windows 8 client behind the other. The client authenticated fine over the IPSec tunnel I set up. There must be something you are doing wrong. I suspect it's a DNS issue.

What IPSec client are you using? Do you mean restrict access from remote IP's connecting to your mobile VPN or restrict access within the mobile VPN to other networks? Just set up another phase 2 entry on the site-to-site VPN on the IPSec endpoint that your mobile users connect to using your mobile VPN subnet as the local subnet. Depending on your IPSec client there should be an option to automatically route all traffic through the VPN. You will need to add an outbound NAT rule for your IPSec subnet.

I continued my query here on Reddit: http://www.reddit.com/r/PFSENSE/comments/1s8v4s/mss_clamping_not_apparently_working/ Any ideas as regards the general nature of my blackhole and how to eradicate or work around it?  I'm still trying to work out whether it's an issue with my Infinity line or my virtualised PFsense router on the end of it, although replacing the PFsense instance made no difference.

Should be possible in 2.1 (I haven't tested it yet)

Dec 4 21:42:09    racoon: ERROR: HASH mismatched Your P1 hash type is mismatched on pfSense and the Cisco router. Post your Cisco config and pfSense Phase 1 config here.

Packages would not touch that. There aren't any that would replace the racoon binaries. The safest way forward would be to backup your config, wipe/reinstall 2.1, and then restore your backup.