I see… is there any quick and good guide about that?

I tried also to make shrew client connect to a NOT-Mobile_clients tunnel to solve my problem, but I can't succeed. Is this possible in any way? I tried many configurations, and I can actually connect, but I always get this:

racoon: ERROR: failed to get sainfo.
racoon: ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).

So the problem should be about local and remote network. I set up a fixed address in shrew client and put the same as remote network and the pfsense lan subnet as local network. I'd like to know if I'm just wasting my time and should try openvpn or if I could solve it.

Thanks!

@cmb:

Seems you're probably better off posting in the Turkish board, what you posted doesn't make much sense in English and the users on that board can probably help better than us English speakers are able to.
http://forum.pfsense.org/index.php/board,47.0.html

What you're showing there is just the normal startup log, if that's all you have in your log, nothing is trying to initiate traffic that matches your configured IPsec

panpa ben çoktan hallettim yinede teşekkür ederim,yardımların için

this is great!!!

I hope this gets included as an option for ipsec clients!

http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0

It's almost the exact same config screens, match your settings appropriately as explained in the link above, configure rules on IPsec as desired, and that's all there is to it.

Well, it is probably too late for you, but I thought I should share my experience with pfSense and Shrewd VPN Client.

On the pfSense side, I simply followed the exact instruction of http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0.

On Windows7 I downloaded http://www.shrew.net/download/vpn/vpn-client-2.1.7-release.exe.

Here are the configurations on the shrewd side,

General
Hostname: <the server's="" ip="" address="">Port: 500
Auto Configuration: ike config pull
Address Method: Use a virtual adapter and assigned address
MTU: Obtain automatically
Client
NAT Traversal: force-rfc
NAT Traversal Port: 4500
Keep-alive packet rate: 15/Secs
IKE Fragmentation: enable
Maximum package size: 540 Bytes
Enable Dead Peer Detection
Enable Client Login Banner
Name Resolution
No WiINS/DNS server
Authentication
Local Identity
  Identification Type: Key Identifier
  Key ID String: vpnusers@example.com (or whatever you filled up for Peer identifier: User Distinguished Name when you set up pfSense server Phase1)
  Remote Identity
    Identification Type: IP Address
  Credentials
    Pre Shared Key:  aaabbbccc (or whatever you set up for Pre-Shared Key on the server side)
Phase 1
  Exchange Type: aggressive
  DH Exchange: group 2
  Cipher Algorithm: aes
  Cipher Key Length: 128 Bits
  Hash Algorithm: sha1
  Key Life Time Limit: 86400 Secs
  Key Life Data limit: 0 KBytes
Phase 2
  Transform Algorithm: esp-aes
  Transform Key Length: 128 Bits
  HMAC Algorithm: sha1
  PFS Exchange: disabled
  Compression Algorithm: disabled
  Key Life Time limit: 3600 Secs
  Key Life Data limit: 0 Kbytes
Policy
Policy Generation Level: unique
Remote Network Resource
  0.0.0.0/0.0.0.0

If you can verify this also works for you, it would be nice if someone could expand the Device Setup session of http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 to include Shrewd client.

Hope this helps.

Kang Sun</the>

Also wondering when this will be available. Been looking forward to this feature as a replacement for PPTP VPN. Slightly disappointed when i learned that L2TP+IPSEC was not supported.

Mobile IPsec works with pretty much anything except Windows' built-in client. You can install the Shrew Soft client to make it work there.

OpenVPN works with pretty much anything except iOS.

You're overcomplicating it a bit. The dynamic DNS identifier type is only needed if that end is behind NAT and can't directly see its external IP.

Just use the dyndns hostname in the peer address on the other side, and leave all of the identifiers set to "My IP address" or "Peer IP address".

Add multiple phase 2 entries, one for each local subnet.

That is assuming you checked "Provide a list of networks" on the Mobile Clients setup, and you have Shrew set to Obtain the topology automatically.

Either one VLAN for each, or one separate physical network. Which depends on what kind of infrastructure you already have in place switch-wise. A /25 each or /24 each, doesn't really matter either way. Then firewall rules setup accordingly to isolate the networks.

ok.. thank you.. will try…  :)

Not sure if this will help –

But I had to add an address to ping on the other end to my configs before traffic would pass.

Also, if if you have multiple Gateways or a load share of some sort be sure the traffic is going to the right route / gateway.

==============

you really need to post your vpn config for phase 1 and 2.

This is the setup I have with a cisco ASA:

Phase 1

PSK
Neg Mode: Main
My ID My IP
Peer ID: Peer IP
Key:….etc
Policy Gen: Default
Proposal: Obey
Enc: AES 128
Hash: SHA1
DH: 2
Lifetime: 28800
NAT-T disable
DPD Disabled

Phase 2:

ESP
Enc: AES 128
Hash: SHA1
PFS: 2
Lifetime: 3600

Tunnel has been up and solid!