Sorry for the late reply, i was out of commission for a bit…

thanks jimp, that did fix it...

@lsens:

How did you solve this problem? I have a similar one with another Cisco Firewall and 2.0.1.

I fixed it by getting rid of my Cisco devices and deploying Pfsense. I got tired of the issues I kept seeing with Ciscos supposed "great' equipment. Found a couple spare boxes, thru in some NIC's and all my sites are stable.

It's not possible to assign them static from the server in that way for mobile IPsec.

Yes. IPsec always has to match up on both ends.

@dhatz:

I'm not sure it's needed to go that route, if you have a relatively "simple" VPN topology.

In my case my wonky proxy settings were misdirecting traffic.  Otherwise my IPsec tunnels just work (though individual computers sometimes need new static routes).

I like the info in your link. 
The GRE network would give me Tunnel IPs that I could use for a static route gateway.  OpenVPN gives me that too but not IPsec tunnels.

Appreciated.

Thanks,
I had the same problem that all other tunnels (whith different phase 2 settings) no longer worked in phase 2.
Disable the global setting "Provide the Phase2 PFS group to clients ( overrides all mobile phase2 settings )" in mobile clients tab has solved it.

If I may offer a suggestion: In this case just go with OpenVPN.

The other options they offer (PPTP, L2TP/IPsec etc) are meant for those using their PCs to connect and prefer not to install 3rd party VPN tools.

Just do address to address on the phase 2.

Running "killall racoon" at a command prompt should flush the SPD and leave you able to get back in. At least until something gets touched that restarts it, but if you go straight to the IPsec page and delete or fix the wrong entry and save, you should be good.

Packet capture on WAN on both sides filtering on port 500. You probably don't have connectivity in one direction for some reason, like if it's a Comcast business cable modem, those usually enable firewalls within the modem by default that would block IPsec inbound from the Internet .

Hey Brian,

I've got a similar issue, though mine seems to be the inverse of yours. I can ping hosts from PFSense, but PFSense is refusing to send logs over the tunnel, and I can only ping in one direction, not the other. When I ping an internal host from my data center, it tries to be sent out the WAN hole instead of going across the Tunnel.

Do you have any bright ideas on this, seeing as you managed to figure your issue out?

My thread is here - http://forum.pfsense.org/index.php/topic,55900.0.html

For whatever reason, racoon segfaults when I run RSA+Xauth after the client sends back the XAUTH_USER_PASSWORD. This doesn't happen with PSK+Xauth oddly. >:(

System -> Advanced Misc. Turn on MSS to limit the VPN traffic to 1400 (leave blank for this value). Fixed my issue. W00h00 :O)

The problem with it are the not supported synchronization of replay counter in FreeBSD.