Thank you! I was working with site-to-site VPN so intently I didn't even think to look at the mobile VPN page.  All is well now.

Thanks again!

Sloved it was beacouse ipcop firewall which already had that connection with another ip cop so i try to connect to another location and it works i think i need to restart this ipcop to clean his memory and it should work.

THX

Ok, then can PFSense handle having Phase 1 and Phase 2 in the same subnet? 
On the local side the p1 IP = CARP VIP (WAN if)  p2 IP = IP Alias VIP (WAN if)

NAT 1:1 WAN if
WAN rules created
IPSEC rules created

Still does not come up.

I have now managed to get what I can assume is a stable connection between both locations using IPSEC..

I am just a bit lost how to resolve remote hostnames.

I have added a remote device on location 2 to a computer on location 1 hosts file and I now can ping across the IPSEC tunnel to that device.

I am guessing I now need to look at some sort of DNS that will resolve hostnames automatically and accessable from both locations as adding hostnames will be a bit of a pain.

Double, Tripple and more Times checked. Another try this morning with DN, but always

ERROR: couldn't find the pskey for ERROR: failed to process ph1 packet (side: 0, status: 6).

Luckily this is the only Site2Site with Dynamic IP on the Remote Site. I changed all other Tunnels to
Peer identifier = Peer IP address
to make them work.

Has anyone successfully established a Connection between PfSense 2.0.2 and Linux Openswan U2.6.21/K2.6.30.10-105.2.23.fc11.i586 (Fedora 11) or an LANCOM Box with an Peer identifier other than Peer IP address?

That sounds a lot like what would happen if your sync process started going nuts with huge numbers of connections and maxes out the state table. Check your RRD States graph vs. your states limit.

Thanks!

So in this particular case when this issue cropped up, I had 2 VPNs drop between 3 pfSense machines.

FW-A: Single pfSense box
FW-B: HA pfSense boxes
FW-C: HA pfSense boxes

There are 2 IPsec VPNs: 1 between FW-A <-> FW-B and 1 between FW-A <-> FW-C.

I did find that the "Disable all auto-added VPN rules" was enabled on FW-A and FW-C which is now disabled, but the setting was already disabled on FW-B.

Looking at /tmp/rules.debug under "VPN Rules" I see rules on both FW-A and FW-C, but none under FW-B. Any idea why? I've double and triple checked the "Disable all auto-added VPN rules" setting and did note that when enabled, a comment under VPN rules is noted as disabled so I know the setting is being noted.

Recent snapshots offer IPsec failover capability (using gateway group), however you might find it better to migrate to OpenVPN and OSPF.

I understand, thanks cmb!! thanks jimp!!

"racoon: ERROR: phase1 negotiation failed due to send error" is what happens when you have a misconfigured PPTP server and a client disconnects. PPTP server should never use an assigned IP of any sort, especially WAN, as its server IP.

I spoke too soon.  While the link you provided is correct in that this will allow the gateway to directly connect to systems on the others side of the VPN, it also appears to be causing routing issues for every box that is not the gateway when it's enabled.

Prior to adding the static route according to the link, I can ping any system (on B network) from my desktop (on A network), however, any attempt to ping a system (on B network) from the gateway (on A network) itself will fail.

If I then add the route, I can ping any systems (on B network) from the gateway (on A network), but my desktop (on A network) can no longer ping any systems (on B network).  I have noticed that sometimes it appears as though one packet "slips by" but from that point on it's destination host unreachable… oddly, the response is coming from my desktop's IP (not any gateway).

Hi,

I'm running 2.0.2 with racoon 0.8.0.

The right combination of loss of connectivity to remote endpoints seems to be triggering the crashing.

I've submitted a bug report here:

https://sourceforge.net/tracker/?func=detail&aid=3603844&group_id=74601&atid=541482

I also submitted this to FreeBSD a while ago, but it got closed.  Should I open up a new one?

http://www.freebsd.org/cgi/query-pr.cgi?pr=168104

It seems like the more Phase1's not establishing, the more likely racoon is to segfault.

I am by no means an expert. But since the experts have not had time to respond, I thought I'd give my two cents as I've had a pfsense site to site ipsec tunnel working for sometime.  In phase 2 what did you put for local network and remote network.  I have local subnet selected for the first and the address  ip for the remote network.  I believe this sets up the routing needed from one subnet to the other.  Since you are going from WAN interface to another router as your default gateway, there was an entry in the pfsense guide that mentioned you might have to setup static routes from one network to the other. For your layout, pfsense is not the gatway router.  There are some considerations in the guide for that. I'm not sure if posting from the guide is allowed for copyright reasons. I will try to summarize.  A static route could be entered into the gateway router that will redirect traffic destined for the far side of the tunnel to the pfSense router.
There may be some issues with this and it goes on to recommend that pfsense be made the default gateway of both networks.  I hope this helps.  FYI, both ends of my tunnel have pfsense as the gateway.  I hope this helps.

Oddly enough I had this exact error and happen to have UPnP enabled. Though my work around was to change "My Identifier" to Dynamic DNS instead of My IP address.