OK - To me it seems that ipsec on an android device, particularly using the VPN that comes pre-installed is somewhat of a mystery to most.  So, since I bothered to solve my own problem and now have ICS Android working on my Android to my pfsense seemingly as well as my openvpn without any split tunneling or weirdness, I will share my experience and my deviations from previously posted how-too.

This is not for point to point.  Point to point is talked to death.

Not much different in what I've done compared to what is ALL OVER THE INTERNET, but it seems to matter alot.

Phase1

Click "enable IPsec box

Interface - WAN
Description - A name you like
Authentication method - Mutual PSK + Xauth
Negotiation Method - aggressive
My identifier - Dynamic DNS -  my-dynamic.address.net  (I chose dynamic because my home router uses dynamic DNS - My IP my work fine)
Peer identifier - allmyusers@myownvpn.com  (make up a address if needed, but don't leave blank.  Its important)
Pre-Shared Key - Make one up. I'll use kilrapplease Make it abit long but memorable.  (This is the ONLY pre-shared key that will go into your phone)
Policy Generation - Unique
Proposal Checking - obey
Encryption algorithm - AES 128
Hash algorithm - SHA1
DH key group - 2
Lifetime - 86400
NAT Traversal - Enable
Dead Peer Detection - Enable DPD
Delay between requesting peer acknowledgement - 10
Number of consecutive failures allowed before disconnect - 5

SAVE

Under Mobile Clients
click  Enable IPsec Mobile Client Support box
User Authentication - system
Group Authentication - system
Virtual Address Pool - click  Provide a virtual IP address to clients
network - 10.80.12.0 / 24  (pick a address range not in use on pfsense, I suggest a /24)
click Provide a list of accessible networks to clients
click Save Xauth Password (probably makes no difference, but why not)
DNS Default Domain - click Provide a default domain name to clients
enter a domain name like - totallyipsecdomain  (just make up 1 thats not in use on your pfsense)
DNS Servers - (I would enter 2)
                      216.146.35.35  (this one is dyndns)
                      8.8.8.8            (this one is google)    Its probably better to run your own dns server if you know how.
WINS Servers - All blank and unchecked.
Phase2 PFS Group - unchecked
Login Banner - Welcome - You are now connected to my sick little world  (Or something else you like.  These pop up if you are using iphone)

SAVE

Phase II mobile client
Mode - tunnel
Local Network - LAN Subnet (or whatever subnet you want to reach.  Hopefully its one you use daily and has good firewall rules that work)
Description - myphase2 (or some name you makeup)
Protocol - ESP
Encryption algorithms - AES / 128 / auto    (make sure the others are unchecked)
Hash algorithms - SHA1 (uncheck MD5)
PFS key group - off    (this will break your vpn if you turn it on and its not a option in your client)
Lifetime - 28800
Automatically ping host - leave empty  (I'm wondering why I'd want to ping anything?  I cant see the results on my phone)
SAVE

Now, here is where the stuff I've read online sore of gets confusing/wrong.

For this to work, you need to create/use a user on pfsense.
Go to system > usermanager
Create a new user (unless there is already a user there you plan to use)
Give the user a username and a password and write those down. Ill use guyone and passwd4guy1
Give user a full name, leave expiration date blank, create a user cert if you like (useful for openvpn)
IPsec Pre-Shared Key - enter a pre-shared key here.  just make up something a bit long  - YOU WILL NOT BE USING THIS ANYWHERE but its required.
SAVE

*********************You might need ************************
In pfsense you might need to make a MANUAL entry in firewall > NAT > Outbound If you use Manual outbound NAT, like me.
Too allow the IPsec domain you made up (10.80.12.0 / 24 in this example) to see the web, you need to add an outbound NAT entry.
Interface - WAN
protocol - any
Source - Network
            10.80.12.0 / 24 (the number you made up anyway)
Source port - leave empty
Destination - any
address - leave alone
destination  - leave blank
translation - Interface Adress
port - leave blank
Static port (I checked it to make it play nicer with MY SIP servers, but blank is fine usually)
No XMLRPC Sync - unchecked
Description  - Rulle to pass IPsec (word it how you like)
SAVE
*Remember, this rule might not be necessary if you use automatic outbound NAT (which I do not)

Next firewall rule isn't optional.

Firewall > Rules > IPsec
add new rule

Action - pass
Interface - IPsec
Protocol - any
Source - any
Destination - any
Description - Allow all from IPsec (word however you like)
SAVE

Go to status > Filter reload
Click home menu for pfsense again.  We should be done on the router.

******  The rest of this happens on your phone, tablet or whatever*****

Now - grab your android phone, on cellular data please or network outside your own.
Doing this on the same lan as your server won't prove anything and will likely cause conflict.

On my ICS android phone its settings > vpn > more > vpn > addVPN

select IPsec Xauth
Server address = your DNS domain or pfsense's public IP (I entered my dynamic dns name here)
for IPsec Identifier = use the email looking address you made up (I used allmyusers@myownvpn.com)

IPsec pre-shared key (This is the one we made up while configuring the tunnel, not the one when we made the user / password.)
I used kilrapplease

For DNS search domain (I left blank)

DNS Servers - (I entered 8.8.8.8    If there is one you prefer, use that)

MEGA Important
Forwarding routes - Set this to 0.0.0.0/0  (if you don't your routing will be split.  Half the time it will go around your VPN)
SAVE

Now connect to your VPN.
Use the username for the user we created on pfsense and the password.  (I used guyone and passwd4guy1)
If you have the option and you want, click the "save account info button", else you have to enter the username/passwd each time.
Press connect.

If your phone is anything like mine, you should have a working pfsense IPsec Tunnel VPN without flakey hit and miss routing now.
I verified this by going to whatsmyip.org to ensure its showing as my home server IP and I went to one of my servers behind my pfsense using only its private IP address.  Both worked as expected…  FINALLY.

I will add a section about the iphone after I catch some ZZZZZZzzzzs.

I assume the server is at Site A according to your diagram?
Do you have a rule set up in firewall for the interface involved to pass traffic?
Do you have a rule on the outbound NAT to pass the traffic on that domain to WAN?

(I've noticed also, that links between two pfsense boxes seems easier and more sure fire than between pfsense and most other things)

Hi

were you able to find a solution?
I have the same problem: a customer needs me to have a different subnet as source IPs.
I added a Virtual IP to my LAN Interface, the tunnel is up, they can ping my Virtual IP, but I am not able to reach their remote LAN from my LAN.
I have been trying to change the NAT rules, but without success.

Michele

@hongkonger:

i am not sure how to setup if you can post your working config i can probably copy them, hopefully you pfsense is also behind a router lol

NO I have the RV042 on one end DHCP from AT&T Uverse and pfSense on the other end Static Comcast..  An DNS Alias in the middle to resolve the IP for the RV042 end.

But my config will not help you with this, it's more important that you line up the values between the RV and pfSense.

–-------------

It's adjusting the IP to match the subnet mask you give it. That's normal.

Problem solved

some of the remote IPs I tested do not have default gateway setup

Easy as that!!!

A FreeBSD developer is asking me for backtraces, but they don't seem to be that informative.

Aren't there separate binaries with debugging symbols that you are supposed to use when doing this?

GNU gdb 6.6 [GDB v6.6 for FreeBSD] Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB.  Type "show warranty" for details. This GDB was configured as "i386-portbld-freebsd8.1"... (no debugging symbols found) (no debugging symbols found) Core was generated by `racoon'. Program terminated with signal 11, Segmentation fault. #0  0x080672a9 in ?? () from /libexec/ld-elf.so.1 (gdb) bt #0  0x080672a9 in ?? () from /libexec/ld-elf.so.1 #1  0x2854de48 in ?? () #2  0x00000000 in ?? () (gdb) quit

Hi Rudivd,

I am trying to connect my Mac OS X 10.8 to pfSense 2.1 RC.
Can you please tell me how to setup the connection? I following some setting from http://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To but not work. It show server no response and the pfSense logging "ERROR: exchange Identity Protection not allowed in any applicable rmconf."

Thanks,
Edward

Very strange now. Now I can see some Bonjour services from the remote side in Safari and in an app called Bonjour Browser. But they are not reachable nor can be resolved. It seems that some information come through the vpn tunnel but not all needed stuff. Any idea?

I took a stab at fixing this problem.  Details here:

http://redmine.pfsense.org/issues/1351

Ah, didn't know any of that – thanks for the clarification. Good to know about the pings bringing up the tunnel!

Unfortunately there is no way to have a second mobile config, only one is supported.

If you need the same one to answer on both WANs, you might be able to accomplish that by forwarding udp/500 udp/4500 and esp from WAN2 to WAN1, but that would most likely break any other non-mobile tunnels you also have on WAN2. Don't quote me on that though, pure speculation that it would even work.

Did you ever get this worked out?  I am having a similar issue…

We resolved our issue by checking that no intermediary device was blocking ESP protocol traffic.

Even though SA "exchange/handshake" was completed and DPD transferring over UDP 500… ESP transfer was our root cause!

Thanks for your advice. We believe that it is working now with some minor changes to the pfSense end.

We have gone back to basics on IPSec.

Since the Security Associations (SA) were being established between the two sites, but traffic was flowing OUTOF the pfSense (to somewhere) but not flowing INTO the pfSense from the second site (from y.y.y.y);  and no traffic was being received at the second site. We assumed that there must be some device in the way that was blocking the data traffic.

Since the data traffic is handled on ESP Protocol, something must be blocking that.

Changing the router configuration, so instead of using open ports (UDP 500) for NAT, we tested by using a DMZ/address map. As soon as this was changed, data started to flow and SSH connections could be made.

We also made it more robust by adding a gateway definition for the LAN interface and Firewall rules to pfSense to run LAN 172.20.0.0/16 via the LAN GW. Belt and braces really (plus enables better fault finding).

During this process we ruled out red herrings such as:

IPV6 redirection issues Routing table issues on the SSG140's Firewall policies on the SSG140's Scrub

This experience leads me to favour pfSense over packaged Juniper products (e.g. SSG140):

Better overall fault diagnosis than Juniper Better tracing of traffic Better tuning of configuration parameters Better log information