System > User Manager, add a user, save, edit user, add xauth dialin permission.

Anybody have any thoughts on this?  I can certainly provide more information if needed.

This php may help you on it.

https://200.x.x.x:8443/diag_ipsec.php?act=connect&remoteid=10.0.16.0&source=172.28.1.1

To run it on shell, do with php -q

hi,

have you made progress on this topic?

thanks anyway :)

@podilarius:

Except for the DLink, it sounds ideal. Have you run memtest on the machine to make sure memory is good?

Hi Podilarius,

maybe the d-link is not an ideal choice - I agree No, I did not check the memory, nor the hard drive. It really sounds like a bug to me but I'll do the test one of those days.

@firl:

Anyone know if it is possible to have the pfsense box become an ipsec client for a username / password combo ( xauth ) to a cisco vpn server?

You can try to add cisco vpn client via pkg_add and configure it.

That's up to the Android version running on your phone and the modification that your cell phone provider has made to it.

My Droid X on Verizon running Gingerbread has Advanced IPsec VPN (I wrote that doc), but many others do not.

I'm not sure if any of the alternate firmwares like cyanogenmod include it or not, one would hope they do.

It finally works as I want to.  Know why people keep trying for days.  There are some key issues missing on faq / doc / tutorial.

PFSense mobile ipsec vpn setup is somewhat like server and client and it suggest using aggressive mode due to unknown client ip.  But some other doc said aggressive mode does some plaintext communication.  I cannot totally understand but my setting below works in main mode:

IPCop settings towards the tutorial server side.  It doesn't matter there is no separate setup page for mobile client and pre-shared keys.

PFSense setting as client.  PSK in tunnel phase 1 page, that is sufficient.

IPCop's ID example is @domain that is key difference with PFSense that can be user define.  However in PFSense putting @domain with define as dist.name simply cannot save settings.  Username is ok, but racoon/PFsense somewhat looking for IPs when in main mode.  So type define as non-IP is somewhat broken there.  It looks impossible to re-setup the IP/ID  every time as dynamic.  Finally comparing IPCop with PFSense - the ID can be user define like shared keys.  Fixed fake IP address there finally works.

Pluto/IPCop just send ID field no matter what's in it, but racoon needs IP-like string no matter type is defined in the setup page.

Some help on web says PFsense need another rules aloow * * for the IPSec tunnel and IPCop automatically fix the route table.  I try deleting that and it still works.

Hi, I see this good document on "How to set up IPsec tunneling in PfSense 2.0-RELEASE for road warriors".
I just want to use RSA-signature and not PSK (pre-shared key). In this case, seek 1 tutorial on: How to set up IPsec tunneling in PfSense 2.0-RELEASE (or PfSense 1.2.3)  for road warriors using RSA-signature.
Regards !

I hope everyone follows my example and posts solutions to frustrating problems they encounter like I am doing (even if they do not receive any help). To resolve this issue disable NAT-T (when pfsense holds the public IP). If that still does not help disable DPD and set 'Negotiation Mode' in Phase 1 to main (pfsense is at both ends in my scenario).

This might be my issue as well, I'm running a CARP setup with a pre-existing IPSec VPN and would need to connect to that using PPTP and then access resources across the IPSec VPN. Doesn't work for me either, never thought it might be CARP-related.

Hi dhatz,

That's what I'm trying to do also. Although I'm able to ping all hosts, I've an issue when I try to access a webpage. See my other post : http://forum.pfsense.org/index.php/topic,41522.0.html.

Feel free to ask question about the conf if you need help.

I think that the following link is the answer for my problem in freebsd but how to do it in pfsense ?
http://www.mail-archive.com/misc@openbsd.org/msg80590.html

Stephane

Any chance we could get some status on this issue? This is a huge feature to have.

Thanks  :-*