Well, it is probably too late for you, but I thought I should share my experience with pfSense and Shrewd VPN Client. On the pfSense side, I simply followed the exact instruction of http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0. On Windows7 I downloaded http://www.shrew.net/download/vpn/vpn-client-2.1.7-release.exe. Here are the configurations on the shrewd side, General Hostname: <the server's="" ip="" address="">Port: 500 Auto Configuration: ike config pull Address Method: Use a virtual adapter and assigned address MTU: Obtain automatically Client NAT Traversal: force-rfc NAT Traversal Port: 4500 Keep-alive packet rate: 15/Secs IKE Fragmentation: enable Maximum package size: 540 Bytes Enable Dead Peer Detection Enable Client Login Banner Name Resolution No WiINS/DNS server Authentication Local Identity   Identification Type: Key Identifier   Key ID String: vpnusers@example.com (or whatever you filled up for Peer identifier: User Distinguished Name when you set up pfSense server Phase1)   Remote Identity     Identification Type: IP Address   Credentials     Pre Shared Key:  aaabbbccc (or whatever you set up for Pre-Shared Key on the server side) Phase 1   Exchange Type: aggressive   DH Exchange: group 2   Cipher Algorithm: aes   Cipher Key Length: 128 Bits   Hash Algorithm: sha1   Key Life Time Limit: 86400 Secs   Key Life Data limit: 0 KBytes Phase 2   Transform Algorithm: esp-aes   Transform Key Length: 128 Bits   HMAC Algorithm: sha1   PFS Exchange: disabled   Compression Algorithm: disabled   Key Life Time limit: 3600 Secs   Key Life Data limit: 0 Kbytes Policy Policy Generation Level: unique Remote Network Resource   0.0.0.0/0.0.0.0 If you can verify this also works for you, it would be nice if someone could expand the Device Setup session of http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 to include Shrewd client. Hope this helps. Kang Sun</the>

Also wondering when this will be available. Been looking forward to this feature as a replacement for PPTP VPN. Slightly disappointed when i learned that L2TP+IPSEC was not supported.

Mobile IPsec works with pretty much anything except Windows' built-in client. You can install the Shrew Soft client to make it work there. OpenVPN works with pretty much anything except iOS.

You're overcomplicating it a bit. The dynamic DNS identifier type is only needed if that end is behind NAT and can't directly see its external IP. Just use the dyndns hostname in the peer address on the other side, and leave all of the identifiers set to "My IP address" or "Peer IP address".

Add multiple phase 2 entries, one for each local subnet. That is assuming you checked "Provide a list of networks" on the Mobile Clients setup, and you have Shrew set to Obtain the topology automatically.

Either one VLAN for each, or one separate physical network. Which depends on what kind of infrastructure you already have in place switch-wise. A /25 each or /24 each, doesn't really matter either way. Then firewall rules setup accordingly to isolate the networks.

ok.. thank you.. will try…  :)

Not sure if this will help – But I had to add an address to ping on the other end to my configs before traffic would pass. Also, if if you have multiple Gateways or a load share of some sort be sure the traffic is going to the right route / gateway. ==============

you really need to post your vpn config for phase 1 and 2.

This is the setup I have with a cisco ASA: Phase 1 PSK Neg Mode: Main My ID My IP Peer ID: Peer IP Key:….etc Policy Gen: Default Proposal: Obey Enc: AES 128 Hash: SHA1 DH: 2 Lifetime: 28800 NAT-T disable DPD Disabled Phase 2: ESP Enc: AES 128 Hash: SHA1 PFS: 2 Lifetime: 3600 Tunnel has been up and solid!

From the reading I've been doing this has to do the way Apple has OS X set up. They require that the IPSec server specify that the client does't need to attempt reauthentication when  rekeying. I'm guessing that a the devs would have to patch racoon to do this, since I don't think it has this functionally by default.

I too would like to restart racoon with cron every day. Since racoon doesn't appear to be able to restart itself once it stops, I need to be able to have a cron job start/restart it at a specific time each day. None of the examples of starting or restarting racoon from the command line that I've searched for seem to actually work on pfSense version 2.0.1 release. Is there a parameter somewhere that will tell racoon to automatically restart if it is stopped?

I had issues with their x64 versions as well, I had planned on including a 2.3 beta x64 build in the exporter (the code is actually all there, and the client binary too) but their installed didn't actually function properly. It would give registry errors and/or fail to import the config. But the 32-bit works great.

Could be an MTU issue. Under System > Advanced on the Misc tab, try setting up MSS clamping for VPNs there, try something low-ish like 1400.

It's quite understandable. Afterall 2.0.2 is finished (apparently it has been for the past 3 months ;-) but sofar some last-minute issues have delayed its official release) whereas the NAT before IPsec functionality is totally new, it has just been introduced and it's not even part of stock FreeBSD.