There is an open feature request ticket: http://redmine.pfsense.org/issues/1965 But there are no specific plans to make it happen in the near future. Unless someone submits a working patch, it's unlikely to be added in 2.1 at this point.

Solved it by adding a Virtual IP (Proxy ARP) in pfsense on the LAN interface for the remote side network!

If you can get the dyndns IP to follow the "active" wan then yes that would work.

@fsaltan: Hi all, I have similar problem. I set Ipsec VPN with pfsense and Checkpoint NGX R75.20, but I cant wake up VPN connection. You could see my configuration below. [image: Capture1.jpg] [image: Capture2.jpg] And, my ıpsec logs are like below [image: Capture3.jpg] Have can I achieve this problem?

ipsec-tools 0.7.2 is quite old. There have been a number of patches commited to ipsec-tools CVS since the release of ipsec-tools 0.8.0 a year ago, which may address the issues folks are seeing. The ipsec-tools repository is hosted at NetBSD: http://ftp.netbsd.org/pub/NetBSD/NetBSD-current/src/crypto/dist/ipsec-tools/ and the latest sources used from the CVS repository: cvs -danoncvs@anoncvs.netbsd.org:/cvsroot co ipsec-tools If anyone is considering building it for beta-testing, he should also apply any pfsense-specific patches: https://github.com/bsdperimeter/pfsense-tools/tree/master/pfPorts/ipsec-tools-devel

I've checked out the bug reports and haven't found any information that helped.  I've also been through the recommendations listed on http://forum.pfsense.org/index.php?topic=46917.0.  Still haven't found anything that works.  While digging around and trying out different setting I have noticed a couple of other things though. When I tell Cisco wireless router to connect it shows a status of up. I can see the connection initialized in the IPsec logs on my pfSense box. But if I look in my state table I don't see the client listed as I do with my other VPN tunnels that are working. Also when looking under the system logs I see the following error "php: /vpn_ipsec.php: Could not determine VPN endpoint for 'Mobile Client Access'".

Generally speaking one option to resolve addressing conflicts would be to NAT before VPN.

Post 'sainfo' section from your /var/etc/racoon.conf

According to a comment here, it works using ipsec-tools 0.8 and IOS4 (his config is for Debian wheezy). Note: Comment is in German. Harry Comp says: 13. November 2011 at 14:06 Hallo und danke für die Infos. Leider fehlen aber hier essentielle Parts bei Racoon und Netzwerkplanung im Internet. Auch der CA Part fehlt mir hier. Für Info bitte einfach ein Email schicken. Ich habe eine laufende Instanz und kann nur sagen, daß es ein langer Weg dahin war. Enterprise Guide gibt schon einige Hints in Punkto Certificate handling. So viel sei gesagt. Racoon: Es fehlt CA und CRL handling. Im Dir. /etc/racoon/certs CA: ln -s ca.crt openssl x509 -noout -subject_hash -in ca.crt.0 CRL: ln -s crl.pem openssl crl -noout -hash -in crl.r0 Hostkey darf kein password enthalten. (Wird bei xca export nachgefragt) Sonst: openssl rsa -in host.key -out host.key.decr Danach mv host.key.decr host.key (im Dir /etc/racoon/certs) Was noch im Certs Dir sein muss: ca.crt host.crt host.key crl.pem client key+crt (Alle clients) Für Cert Handling verwende ich xca (debian paket) racoon version 0.8.x (Debian wheezy) Bez. xca. Bitte bei Issuer und CA: DNS:host.domain.com (angeben) DNS sollte RR ausflösbar sein. (Sie Enterprise integration guide) Iphone mit IOS4+ kann nur mehr aes 256. Working demo Config: path pre_shared_key “/etc/racoon/psk.txt”; path certificate “/etc/racoon/certs”; log info; listen { isakmp 192.168.200.1 [500]; #IP of gentoo box isakmp_natt 192.168.200.1 [4500]; adminsock disabled; } remote anonymous { exchange_mode main,aggressive; my_identifier asn1dn; verify_identifier on; certificate_type x509 “host.crt” “host.key”; ike_frag on; # use IKE fragmentation proposal_check claim; passive on; support_proxy on; generate_policy on; # automatically generate IPsec policies nat_traversal force; # always use NAT-T dpd_delay 20; # DPD poll every 20 seconds proposal { encryption_algorithm aes 256; hash_algorithm sha1; authentication_method xauth_rsa_server; dh_group 5; } } sainfo anonymous { lifetime time 1 hour; encryption_algorithm aes 256; authentication_algorithm hmac_sha1; compression_algorithm deflate; } mode_cfg { auth_source pam; # validate logins against PAM pool_size 20; # size of the VPN IP pool: 254 addresses network4 192.168.1.100; # 1st address of VPN IPv4 pool netmask4 255.255.255.0; dns4 192.168.1.1; # IPv4 DNS server default_domain “domain.com”; banner “/etc/racoon/motd”; pfs_group 2; } Firewall arno-iptables-firewall: /etc/arno-iptables-firewall/plugins/ipsec-vpn.conf ENABLED=1 IPSEC_VPN_NETS=”0/0″ IPSEC_ALLOWED_HOSTS=”0/0″ IPSEC_NAT_TRAVERSAL=1 /etc/arno-iptables-firewall/debconf.cfg (Asuzug) DC_INT_IF=”eth0″ #(LAN) DC_EXT_IF=”eth2″ #INTERNET INTERFACE (192.168.200.0/24) DC_INTERNAL_NET=”192.168.1.0/24″ DC_NAT_INTERNAL_NET=”192.168.1.0/24″ IPHONE: Konfigurationstool: VPN(CISCO) HOSTNAME: hostname wie im Cert DNS: Account: Ausfüllen oder nicht (wie es beliebt) Geräte-Auth: Cert Zert importieren (Client Zertifikat Vorher im xca als p12 exportieren. Ohne Cert Chain !!!!) Password vergeben. (Im Konfig Tool -> Zert auch das Password für den Export hinterlegen) On demand bei Bedarf aktivieren. (Siehe Enterprise Guide Seite 36 für Optionen) Hosts werden von rechts nach link gemacht. example.com matcht also auch test.intern.example.com Proxy: Nach belieben. ACHTUNG !!!!! (CA Teil bevor das Profile auf das Iphone geladen wird) Das CA Cert auf einem Webserver bereitstellen. Im Iphone auf die Site via Safari Surfen. Z.B. http://example.com/ca.crt Danach dieses Installieren . Im Konfigtool erscheint dann ein zweites Profile (Bei Geräte) Danach kann das VPN Profile auf das Iphone geladen werden. Damit Vertraut das Iphone deinem Client Cert. Danach surfe mal ne Seite an die im OnDemand matched. Username/Password einfach auf dem Host vergeben. (Via PAM; cp /etc/pam.d/sshd /etc/pam.d/racoon) Dann funkts es auch schon. Vielen Dank für deine Anleitung. Sie hat mich auf die richtige Spur gebracht. Ciao Comp

hi, dont know which one did the trick. Tried few things and all of a sudden tunnel is up n running. thanks

Found one wrong setting in Advanced ("Prefer older SAs"). The tunnel itself stays up now (I can ping all the time), but the log nevertheless looks not good: Mar 6 13:36:52 racoon: [Unknown Gateway/Dynamic]: ERROR: pfkey DELETE received: ESP x.x.x.x[500]->x.x.x.x[500] spi=755278420(0x2d04a254) Mar 6 13:35:43 racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=822348144(0x31040970) Mar 6 13:35:43 racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=251902539(0xf03ba4b) Mar 6 13:35:42 racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500] Mar 6 13:32:12 racoon: ERROR: pfkey DELETE received: ESP x.x.x.x[500]->x.x.x.x[500] spi=738466939(0x2c041c7b) Mar 6 13:30:43 racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=755278420(0x2d04a254) Mar 6 13:30:43 racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=171853136(0xa3e4550) Mar 6 13:30:43 racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500] Mar 6 13:28:56 racoon: ERROR: pfkey DELETE received: ESP x.x.x.x[500]->x.x.x.x[500] spi=671405877(0x2804d735) Mar 6 13:28:56 racoon: ERROR: pfkey DELETE received: ESP x.x.x.x[500]->x.x.x.x[500] spi=704921625(0x2a044019) Mar 6 13:27:52 racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=738466939(0x2c041c7b) Mar 6 13:27:52 racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=92006427(0x57be81b) Mar 6 13:27:52 racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500] Mar 6 13:25:42 racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=704921625(0x2a044019) Mar 6 13:25:42 racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=94974923(0x5a933cb) Mar 6 13:25:42 racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500] Mar 6 13:19:44 racoon: ERROR: pfkey DELETE received: ESP x.x.x.x[500]->x.x.x.x[500] spi=654630777(0x2704df79) Mar 6 13:19:42 racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=671405877(0x2804d735) Mar 6 13:19:42 racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=246440033(0xeb06061) Mar 6 13:19:42 racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500] Mar 6 13:18:46 racoon: ERROR: pfkey DELETE received: ESP x.x.x.x[500]->x.x.x.x[500] spi=637839420(0x2604a83c) Mar 6 13:18:42 racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=654630777(0x2704df79) Mar 6 13:18:42 racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=73550287(0x46249cf) Mar 6 13:18:42 racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500] Mar 6 13:16:43 racoon: ERROR: pfkey DELETE received: ESP x.x.x.x[500]->x.x.x.x[500] spi=621059908(0x25049f44) Mar 6 13:15:42 racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=637839420(0x2604a83c) Mar 6 13:15:42 racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=182947104(0xae78d20) Mar 6 13:15:42 racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500] Any idea? Both sides work with static IPs - I say this because the error in line 1 looks like I try to connect to a dynamic IP address… Thanks for ANY help! Best regards, Thorsten

It would have been most interesting to thoroughly troubleshoot this issue, since the Cisco VPN Client is so widely deployed. With regard to the "no reply" comment, you can't expect too much over a weekend …

No, on the other tunnel I did not had. Now it works like a charm on all other tunnel! Thank you very much for your help!

thanks for the response. sure would be nice to have this feature.

if you check from ipconfig after connecting vpn, what ip-address you see on dns-server, is it the same what you use on your remote-end? and can you ping that server? can you connect to it with nslookup?