Thanks, I had the same problem that all other tunnels (whith different phase 2 settings) no longer worked in phase 2. Disable the global setting "Provide the Phase2 PFS group to clients ( overrides all mobile phase2 settings )" in mobile clients tab has solved it.

If I may offer a suggestion: In this case just go with OpenVPN. The other options they offer (PPTP, L2TP/IPsec etc) are meant for those using their PCs to connect and prefer not to install 3rd party VPN tools.

Just do address to address on the phase 2.

Running "killall racoon" at a command prompt should flush the SPD and leave you able to get back in. At least until something gets touched that restarts it, but if you go straight to the IPsec page and delete or fix the wrong entry and save, you should be good.

Packet capture on WAN on both sides filtering on port 500. You probably don't have connectivity in one direction for some reason, like if it's a Comcast business cable modem, those usually enable firewalls within the modem by default that would block IPsec inbound from the Internet .

Hey Brian, I've got a similar issue, though mine seems to be the inverse of yours. I can ping hosts from PFSense, but PFSense is refusing to send logs over the tunnel, and I can only ping in one direction, not the other. When I ping an internal host from my data center, it tries to be sent out the WAN hole instead of going across the Tunnel. Do you have any bright ideas on this, seeing as you managed to figure your issue out? My thread is here - http://forum.pfsense.org/index.php/topic,55900.0.html

For whatever reason, racoon segfaults when I run RSA+Xauth after the client sends back the XAUTH_USER_PASSWORD. This doesn't happen with PSK+Xauth oddly. >:(

System -> Advanced Misc. Turn on MSS to limit the VPN traffic to 1400 (leave blank for this value). Fixed my issue. W00h00 :O)

The problem with it are the not supported synchronization of replay counter in FreeBSD.

I see… is there any quick and good guide about that? I tried also to make shrew client connect to a NOT-Mobile_clients tunnel to solve my problem, but I can't succeed. Is this possible in any way? I tried many configurations, and I can actually connect, but I always get this: racoon: ERROR: failed to get sainfo. racoon: ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1). So the problem should be about local and remote network. I set up a fixed address in shrew client and put the same as remote network and the pfsense lan subnet as local network. I'd like to know if I'm just wasting my time and should try openvpn or if I could solve it. Thanks!

@cmb: Seems you're probably better off posting in the Turkish board, what you posted doesn't make much sense in English and the users on that board can probably help better than us English speakers are able to. http://forum.pfsense.org/index.php/board,47.0.html What you're showing there is just the normal startup log, if that's all you have in your log, nothing is trying to initiate traffic that matches your configured IPsec panpa ben çoktan hallettim yinede teşekkür ederim,yardımların için

this is great!!! I hope this gets included as an option for ipsec clients!

http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0

It's almost the exact same config screens, match your settings appropriately as explained in the link above, configure rules on IPsec as desired, and that's all there is to it.