I use it, for the whole year, in a production VPN with 2.0.1-RELEASE devices and Fortinet FortiOS v.4.x devices. All IKE sessions use DH group 14 (the maximum supported by FortiOS standard edition) without any problem. Many thanks.

@doktornotor: @greminn: OK thanks for this! I see.. I gave this a go, but had issues - do i need to change anything at the Fortigate end? Is side one the local end or the remote end? Changes are requires to be done on both ends of the tunnel, of course. OK so i changed both ends Phase 2's to only have a single IP address in the remote range… when trying to bring up the VPN i get these errors in the logs: Aug 8 08:48:36 racoon: [New Media DC VPN]: INFO: IPsec-SA established: ESP 203.167.xxx.x[500]->103.2.xxx.xxx[500] spi=3405420369(0xcafa9751) Aug 8 08:48:36 racoon: [New Media DC VPN]: INFO: IPsec-SA established: ESP 203.167.xxx.x[500]->103.2.xxx.xxx[500] spi=50113689(0x2fcac99) Aug 8 08:48:36 racoon: [New Media DC VPN]: INFO: initiate new phase 2 negotiation: 203.167.xxx.x[500]<=>103.2.xxx.xxx[500] Aug 8 08:48:24 racoon: INFO: unsupported PF_KEY message REGISTER Aug 8 08:48:24 racoon: INFO: unsupported PF_KEY message REGISTER Aug 8 08:48:24 racoon: INFO: unsupported PF_KEY message REGISTER Aug 8 08:48:18 racoon: ERROR: failed to get sainfo. Aug 8 08:48:16 racoon: ERROR: failed to get sainfo. Aug 8 08:48:12 racoon: ERROR: failed to get sainfo. Aug 8 08:47:57 racoon: ERROR: failed to get sainfo. Aug 8 08:47:35 racoon: ERROR: failed to get sainfo. Aug 8 08:47:13 racoon: ERROR: failed to get sainfo. Aug 8 08:47:06 racoon: ERROR: failed to get sainfo. Aug 8 08:46:58 racoon: ERROR: failed to get sainfo. Aug 8 08:46:54 racoon: ERROR: failed to get sainfo. Aug 8 08:46:50 racoon: ERROR: failed to get sainfo. Aug 8 08:46:50 racoon: INFO: unsupported PF_KEY message REGISTER Aug 8 08:46:50 racoon: ERROR: no iph2 found: ESP 103.2.xxx.xxx[500]->203.167.xxx.x[500] spi=225044466(0xd69e7f2) Aug 8 08:46:50 racoon: INFO: unsupported PF_KEY message REGISTER Aug 8 08:46:28 racoon: ERROR: failed to get sainfo. Aug 8 08:46:28 racoon: INFO: unsupported PF_KEY message REGISTER Aug 8 08:46:28 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 182.236.xxx.xx/32[0] proto=any dir=out Aug 8 08:46:28 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 182.236.127.0/24[0] proto=any dir=out Aug 8 08:46:28 racoon: ERROR: such policy already exists. anyway replace it: 182.236.xxx.xx/32[0] 192.168.1.0/24[0] proto=any dir=in Aug 8 08:46:28 racoon: ERROR: such policy already exists. anyway replace it: 182.236.xxx.x/24[0] 192.168.1.0/24[0] proto=any dir=in Aug 8 08:46:28 racoon: INFO: unsupported PF_KEY message REGISTER Aug 8 08:46:27 racoon: ERROR: no iph2 found: ESP 103.2.xxx.xxx[500]->203.167.xxx.x[500] spi=139426204(0x84f799c) Aug 8 08:46:27 racoon: INFO: unsupported PF_KEY message REGISTER Aug 8 08:46:24 racoon: INFO: purged IPsec-SA proto_id=ESP spi=3405420368.

@doktornotor: Without posting the screenshots of your setting, no, not really any ideas. There's also debug mode for racoon for a reason. "It does not work" is not something to work with. Cool.. here are the VPN settings, and the VLAN, WAN and Floating rules as well. Will sort some debug logs of racoon as well. Thanks! Simon [image: Capture1.JPG] [image: Capture1.JPG_thumb] [image: Capture2.JPG] [image: Capture2.JPG_thumb] [image: Capture3.JPG] [image: Capture3.JPG_thumb] [image: Capture4.JPG] [image: Capture4.JPG_thumb]

PfSense 2.0.2 seems to be working great. IPSec seems to be stable over the last couple of days. There seems to be one issue, which maybe some of you have encountered, Enabling UPNP seems to break ipsec.

@kejianshi: ohhhhhhhh…   haha. laughing at myself... When a client is disconnected and reconnected a few minutes later, it probably wont pass traffic. Its a weird glitch that I've been assured doesn't exist now...   But ok. Anyway.  Try this. Connect to your VPN.  Test it. Now, disconnect and wait 3 minutes.  Then connect again and test it. I bet it doesn't work now. Now, go to status > services and press the "restart services" button to the right of racoon / IPsec. Bet it works now. That was a problem on older snapshots, and still is if you didn't follow this page exactly: http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 Double check every setting (especially Prefer Old IPsec SA)

I am experiencing the same issue on 2.0.3. It ran fine on 2.0.2 though. It seems to die at the end of the phase 2 lifetime. BTW, nothing has changed other than upgrading to 2.0.3.

Yes - For having many many connections that originate from behind a single firewall to a single distant point, openvpn excels. It doesn't get confused by multiple layers of NAT and things like that.  Doesn't care what port you run it on.  Doesn't much care how many connections you make on that single port either, although I tend to run as many instances as I have physical cores.

Are you using manual outbound NAT? Would it be a big deal to paste your phase 1, phase 2, any firewall rules you have set up for LAN, and your manual outbound NAT page. It would probably go alot faster then.

IIRC that means it is trying to use compression with IPsec which we don't have support for.

Hi, this is just what I was looking for, and it works like a charm. THANK YOU! Now for a follow-up question: I have a webserver in site B that used to be available on its (public, external) ip address thanks to nat reflection. Now that outbound nat rule generation is no longer done automatically, that server is no longer available from within sites A and B. From outsite it still works fine. We have 6 public ips in a row and this webserver is not on PfSense's public ip address but on one of the others. I take it I must tell PfSense somewhere that that server must be reachable from inside the lans, but where and how? /edit Ok I found the solution: under Firewall > NAT > Port Forward, for every port forward rule I had to set NAT reflection to Enable (Pure NAT). Also under System > Advanced I ticked Enable NAT Reflection for 1:1 NAT and Enable automatic NAT for Reflection. I think using all three options might be redundant but it works.

I see it here all the time: I'd only get worried if my user password was user1/password1 or some other simple thing and my shared secret was "shared". As long as its saying "exchange Identity Protection not allowed in any applicable rmconf" I'm not worried. I'll get worried when its not throwing that error :o (It would be nice to get some fail2ban like functionality in pfsense for IPsec, SSH, Openvpn and all the other places guys like my little friend from Amsterdam here will try to get into.) Jul 23 03:28:45 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Jul 23 03:28:45 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129]. Jul 23 03:28:49 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Jul 23 03:28:49 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129]. Jul 23 03:28:50 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Jul 23 03:28:50 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129]. Jul 23 03:28:51 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Jul 23 03:28:51 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129]. Jul 23 03:28:54 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Jul 23 03:28:54 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129]. Jul 23 03:28:57 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129]. Jul 23 03:28:57 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Jul 23 03:28:58 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Jul 23 03:28:58 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129]. Jul 23 03:28:59 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Jul 23 03:28:59 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129]. Jul 23 03:29:02 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Jul 23 03:29:02 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129]. Jul 23 03:29:05 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Jul 23 03:29:05 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129]. Jul 23 03:29:08 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Jul 23 03:29:08 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129]. Jul 23 03:29:11 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Jul 23 03:29:11 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129]. Jul 23 03:29:14 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129]. Jul 23 03:29:14 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Jul 23 03:29:17 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129]. Jul 23 03:29:17 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Jul 23 03:29:20 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129]. Jul 23 03:29:20 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Jul 23 03:29:23 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129]. Jul 23 03:29:23 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Jul 23 03:29:26 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129]. Jul 23 03:29:26 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Jul 23 03:29:29 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129]. Jul 23 03:29:29 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Jul 23 03:29:32 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129]. Jul 23 03:29:32 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Jul 23 03:29:35 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129]. Jul 23 03:29:35 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Jul 23 03:29:38 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129]. Jul 23 03:29:38 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Jul 23 03:29:41 racoon: ERROR: Invalid exchange type 243 from 193.67.0.27[26129]. Jul 23 03:29:41 racoon: [193.67.0.27] ERROR: exchange Identity Protection not allowed in any applicable rmconf.

I've had all kind of issues with 2.0.x and even 2.1 with regards to IPSEC.  This is the reason I've stayed 1.2.3 for most sites; rock solid with required IPSEC connections.  Also, having to work with other VPN devices, IPSEC is standard use.  Try it and see if it helps you.

Hello,  The lancom not allowing multiple phase 2 entries will probably be a problem for you.  I believe there needs to be a pair of SA entries PER subnet.  So the lancom would also need to know about your mobile network. Of course, you MIGHT be able to use a larger cidr network… change the ipsec tunnel between the lancom and your pfsense box to be 192.168.16.0/23.  <-- note the 23 change your mobile network from 172.16.17.0/24 to 192.168.16.0/24 The 192.168.16.0/23 network is shorthand for 192.168.16.0-192.168.17.255. --jason

Hello, The first thing to remember is that the firewall is a default "block all", therefore you only need to allow access from their hosts to your one. (Rule is set up as BLOCK) x  IPv4 * 172.16.5.0/24 * ! 192.168.111.4 * * none   Only allow remote network to access single local host … Block any packet from the supplier network (by definition over the IPsec VPN) that isn't destined for the desired single host on my network Second is to remember that rules apply on INBOUND connections, thus you want a rule like this on your IPSEC interface. Thus, the psuedo-code would read: "allow all traffic from 172.16.5.0/24 to 192.168.111.4" –jason

Correct, NAT+IPsec will only work on 2.1 using the NAT option in the Phase 2 settings.

Hmmmm. Which version of windows are you using? If its not windows XP, you need to right click the install file and "run as admin" otherwise you get connected but won't route you anywhere. If you didn't install it as admin, easy fix is uninstall it, then reinstall (Run as admin this time). Occasionally you get an issue where you have to allow it in your firewall rules on a windows box, depending on the firewall.