What shows up in the IPsec log when you try to connect? What client settings are you using exactly? What error shows up on the client? Is the username and password you're using valid? (Check System > User Manager, make sure the user exists and has the IPsec dialin permission)

@SectorNine50: Don't use "LAN subnet" on the phase 2 settings, type the address in yourself.  I ran into this issue and that fixed it for me. That's odd … Could you please save and compare (diff file1 file2) the files /var/etc/racoon.conf /var/etc/spd.conf under both situations (when you put in "LAN subnet" and when you type the address yourself) ?

@namezero111111: I have a problem with an IPSec tunnel where after any amount of time (sometimes 20 mins, sometimes hours or days), traffic will just stop flowing even though the tunnel is up. One side will show multiple SAD entries. If I start deleting "unused" SADs, the tunnel will start working again. Obviously that isn't a solution. Here are some facts: Both sides running on 2.0.1-RELEASE (amd64) built on Mon Dec 12 18:43:51 EST 2011 Both sides have "Prefer older SAs" in the advanced settings disabled (it used to be enabled but made no difference). DPD is enabled and I tried playing with the values as well as disabling it completely With DPD disabled, the tunnel stays stalled longer Are you still having this problem ? You might also want to check the discussion at the ipsec-tools-devel list: http://marc.info/?l=ipsec-tools-devel&m=129842631426424&w=2

Hi, About the routes, i thought the same thing, that they were created automatically… Just for the test i create a route "tunnel virtual IP ------wangw" and then the reply icmp packet were allowed so try it. Do you try to do some captures in pfsense GUI when you ping your lan and wan from the cisco router ? it helps a lot. To check routes on the pfsense, go in the diagnostic section then "routes" you can see all the pfsense routes (manually and automatically created)

My idea did not work, endian doesn't play nice when it's not the main firewall.

Well, I seem to have made this work… I'm not entirely sure how, though.  I deleted all the SPDs on both sides, recreated the Phase 2 rules, and then sent some ICMP traffic from one side to the other, and the tunnel was built.  Even though I had no connect button on either pfSense box, it still came up when traffic appeared. So, lesson learned!

PFSENSE, NANOBSD, 2.0.1 I had the same problem, IPSEC tunnel was establised, all green, no traffic goes through. When you look at SAD, SAD (Status,Ipsec, SAD)shows me multiple connections. I think, the reason are short interrupts, Phase1 does not recognise the break, stays established, but Phase2 opens a new connection. But this does not work. My solution: Change Mode from aggressive to main on both sides. (even with dynamic IPs)

Thank you for your help Jimp, I rechecked PFS on the RV042 but it still didn't work. After changing and changing back a few other settings I ended up setting both sides to Main instead of Aggressive. I was able to initiate a tunnel from the pfsense side this time and it seems to be working good now. Again Thanks

FYI, AES > 128 with glxsb is not currently supported in any version of FreeBSD: http://www.freebsd.org/cgi/query-pr.cgi?pr=166508 Thanks, Todd

I have a similar situation, thanks to the way Comcast's business modems work. When you say you are "NATed," does that mean you have a 1-to-1 NAT set up from the gateway to your pfSense box, or that the pfSense box is simply behind a NAT?

Hi, need help, follow everything like the above threads.. but my ICS still cannot connect to pfsense ipsec below is the log Jul 12 08:43:45 10.10.20.1 racoon: INFO: respond new phase 1 negotiation: x.x.x.x[500]<=>36.37.233.249[23187] Jul 12 08:43:45 10.10.20.1 racoon: INFO: begin Aggressive mode. Jul 12 08:43:45 10.10.20.1 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Jul 12 08:43:45 10.10.20.1 racoon: INFO: received Vendor ID: RFC 3947 Jul 12 08:43:45 10.10.20.1 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Jul 12 08:43:45 10.10.20.1 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Jul 12 08:43:46 10.10.20.1 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00 Jul 12 08:43:46 10.10.20.1 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Jul 12 08:43:46 10.10.20.1 racoon: INFO: received Vendor ID: CISCO-UNITY Jul 12 08:43:46 10.10.20.1 racoon: INFO: received Vendor ID: DPD Jul 12 08:43:46 10.10.20.1 racoon: [36.37.233.249] INFO: Selected NAT-T version: RFC 3947 Jul 12 08:43:46 10.10.20.1 racoon: INFO: Adding remote and local NAT-D payloads. Jul 12 08:43:46 10.10.20.1 racoon: [36.37.233.249] INFO: Hashing 36.37.233.249[23187] with algo #2 (NAT-T forced) Jul 12 08:43:46 10.10.20.1 racoon: [x.x.x.x] INFO: Hashing x.x.x.x[500] with algo #2 (NAT-T forced) Jul 12 08:43:46 10.10.20.1 racoon: INFO: Adding xauth VID payload. Jul 12 08:43:46 10.10.20.1 racoon: INFO: NAT-T: ports changed to: 36.37.233.249[24964]<->x.x.x.x[4500] Jul 12 08:43:46 10.10.20.1 racoon: INFO: NAT-D payload #0 doesn't match Jul 12 08:43:46 10.10.20.1 racoon: INFO: NAT-D payload #1 doesn't match Jul 12 08:43:46 10.10.20.1 racoon: INFO: NAT detected: ME PEER Jul 12 08:43:46 10.10.20.1 racoon: INFO: Sending Xauth request Jul 12 08:43:46 10.10.20.1 racoon: INFO: ISAKMP-SA established x.x.x.x[4500]-36.37.233.249[24964] spi:e873490ee429fe8e:8d3f55d60b590232 Jul 12 08:43:46 10.10.20.1 racoon: [36.37.233.249] INFO: received INITIAL-CONTACT Jul 12 08:43:46 10.10.20.1 racoon: INFO: Using port 0 Jul 12 08:43:46 10.10.20.1 racoon: INFO: login succeeded for user "test" could someone help me… on the other hand...my iPhone and iPad can connect perfectly

i understand.. PFSENSE is still super.. i am loving it… thankx..

Ah, ok, I misunderstood- I thought you were connecting to the VPN on the same router you were sitting behind. It's possible your firewall at work is blocking ESP or doing something else that will break ISAKMP from the iPhone. Make sure on your firewall at home you have NAT Translation forced on for IPsec, and if you can check on the work firewall, make sure it allows you to use udp/4500 outbound as well as udp/500 and esp if it can't do NAT-T for some reason. If you are at a remote location and it works from 3G but not their wireless, there may not be anything you can do to fix their wireless if they're blocking it, especially if that blocking is done on purpose to prevent exactly what you're attempting. You could always jailbreak and run OpenVPN on a UDP or TCP port they allow out, but depending on what they pass/block through your work firewall that may or may not work either.