That's not the same problem. Something there is attempting to negotiate with mismatched settings.

Using 2.1-Beta1 (i386) built on Sun Dec 30 22:21:30 EST 2012 The following settings worked for me to allow access to my internal networks by name or ip and still be able to browse the web or other networks. Mobile clients tab: I made sure I had "Provide a list of accessible networks to clients" is checked. Tunnels tab: I had to create three phase 2 and then add the following in each Local Network. Network Type: 10.0.0.0/8 Network Type: 172.16.0.0/12 Network Type: 192.168.0.0/16

Pitty. At least now I know I can stop looking for a solution for it :) Thanks!

Thx…

Completely different animal. I had thought it would be simpler but it requires a bit of heavy lifting to make that work. That's why we chose to do the gateway group method instead of that sort of failover. Would still be nice to figure out eventually, but a bit beyond my understanding of racoon's config and how we'd have to set it all up. (Plus the other end would have to support it, too)

It works, thank you  ;) It looks like Mikrotik supports that pretty well :) Michael

Is this a TYPO or do the Windows 7 versions not support this ?? You need Windows Vista or Windows 2008 or later. TIA –

Thanks Jimp, Unfortunately I don't have a crypto / accelerator card in the PFSense machine. It's a Dual Core HP XW4600 workstation with a DLINK DFE570TX card for the WAN / LAN. I have tried just about every configuration I can think of, have remotely controlled the Watchguard and checked, the settings are identical in every way. I can never get passed that last message. I have successfully set up an IPSEC VPN tunnel between this box and a couple of Draytek Vigor boxes, just can't get the Watchguard Firebox to talk. If there is someone out there in the UK that has done this I would be more than happy to pay them to sort this out. I just need to get it up and running else face having to split my network out with a router in front of PFSense and have the client drop their own Watchguard box into the mix. Thanks Graham

Yesterday I setup my iPad to our 2.01 and I can login to our office. But I can't exchange a single package with the LAN… This is what I see in the IPsec log: Dec 19 09:50:35 racoon: ERROR: pfkey ADD failed: Invalid argument Dec 19 09:50:35 racoon: ERROR: pfkey UPDATE failed: Invalid argument Dec 19 09:50:35 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1) Dec 19 09:50:35 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel Dec 19 09:50:35 racoon: [Unknown Gateway/Dynamic]: INFO: Update the generated policy : 10.10.115.1/32[0] 0.0.0.0/0[0] proto=any dir=in Dec 19 09:50:35 racoon: [Self]: INFO: respond new phase 2 negotiation: XXX.91.YY.41[4500]<=>80.187.106.225[26197] Dec 19 09:50:34 racoon: WARNING: Ignored attribute 28683 Dec 19 09:50:34 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY Dec 19 09:50:32 racoon: INFO: login succeeded for user "mirco" Dec 19 09:50:32 racoon: INFO: Using port 0 Dec 19 09:50:20 racoon: [Self]: INFO: ISAKMP-SA established XXX.91.YY.41[4500]-80.187.106.225[26197] spi:82161d7a2a95cc61:cf66e0881b9324d2 Dec 19 09:50:20 racoon: INFO: Sending Xauth request Dec 19 09:50:20 racoon: INFO: NAT detected: ME PEER Dec 19 09:50:20 racoon: [80.187.106.225] ERROR: notification INITIAL-CONTACT received in aggressive exchange. Dec 19 09:50:20 racoon: INFO: NAT-D payload #1 doesn't match Dec 19 09:50:20 racoon: INFO: NAT-D payload #0 doesn't match Dec 19 09:50:20 racoon: [Self]: INFO: NAT-T: ports changed to: 80.187.106.225[26197]<->XXX.91.YY.41[4500] Dec 19 09:50:19 racoon: INFO: Adding xauth VID payload. Dec 19 09:50:19 racoon: [Self]: [XXX.91.YY.41] INFO: Hashing XXX.91.YY.41[500] with algo #2 (NAT-T forced) Dec 19 09:50:19 racoon: [80.187.106.225] INFO: Hashing 80.187.106.225[500] with algo #2 (NAT-T forced) Dec 19 09:50:19 racoon: INFO: Adding remote and local NAT-D payloads. Dec 19 09:50:19 racoon: [80.187.106.225] INFO: Selected NAT-T version: RFC 3947 Dec 19 09:50:19 racoon: INFO: received Vendor ID: DPD Dec 19 09:50:19 racoon: INFO: received Vendor ID: CISCO-UNITY Dec 19 09:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Dec 19 09:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Dec 19 09:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Dec 19 09:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 Dec 19 09:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04 Dec 19 09:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05 Dec 19 09:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06 Dec 19 09:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 Dec 19 09:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08 Dec 19 09:50:19 racoon: INFO: received Vendor ID: RFC 3947 Dec 19 09:50:19 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Dec 19 09:50:19 racoon: INFO: begin Aggressive mode. Dec 19 09:50:19 racoon: [Self]: INFO: respond new phase 1 negotiation: XXX.91.YY.41[500]<=>80.187.106.225[500] Dec 19 09:49:58 racoon: INFO: Released port 0 Dec 19 09:49:58 racoon: [Self]: INFO: ISAKMP-SA deleted XXX.91.YY.41[4500]-192.168.115.253[4500] spi:4eeff2d9004bf1d5:d1a4149da651122f Dec 19 09:49:58 racoon: INFO: deleting a generated policy. Dec 19 09:49:58 racoon: INFO: purged ISAKMP-SA spi=4eeff2d9004bf1d5:d1a4149da651122f:000034a2. Dec 19 09:49:58 racoon: INFO: purging ISAKMP-SA spi=4eeff2d9004bf1d5:d1a4149da651122f:000034a2. And the filter log does only recognise my iPad because our Zarafa Server is trying to access it on the old extern 3G-IP When trying to test the connection by accessing an internal Webserver by IP all I get is a timeout… And yes I've setup an any<>any rule for the IPsec interface! Greetz Mircsicz Edit: I followed this Doc: http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 and as I'm on an ALIX I suffer from the glxsb driver prob from this thread: http://forum.pfsense.org/index.php/topic,56289.0.html so after disabling glxsb it work's as expected...

I did an packet analysis using the Pfs captured packets on the IPsec tunnel interface and Wireshark and came to the conclusion packets were lost due to different MSS settings at the Pfs and the remote location. The mss settings on the remote location appeared to be 1400 and my mss is 1460. Changed the mss settings on the pfs Lan interface also to 1400 and now I'm able to browse the remote htpp page. So problem solved!

Sorry for the late reply, i was out of commission for a bit… thanks jimp, that did fix it...

@lsens: How did you solve this problem? I have a similar one with another Cisco Firewall and 2.0.1. I fixed it by getting rid of my Cisco devices and deploying Pfsense. I got tired of the issues I kept seeing with Ciscos supposed "great' equipment. Found a couple spare boxes, thru in some NIC's and all my sites are stable.

It's not possible to assign them static from the server in that way for mobile IPsec.

Yes. IPsec always has to match up on both ends.

@dhatz: I'm not sure it's needed to go that route, if you have a relatively "simple" VPN topology. In my case my wonky proxy settings were misdirecting traffic.  Otherwise my IPsec tunnels just work (though individual computers sometimes need new static routes). I like the info in your link.  The GRE network would give me Tunnel IPs that I could use for a static route gateway.  OpenVPN gives me that too but not IPsec tunnels. Appreciated.