NAT-T would be the way to go there, if you can. Otherwise you're almost guaranteed some kind of breakage.

Note you also need to forward back the entire ESP protocol, not just udp/500 (and udp/4500 for NAT-T)

I can confirm that the problem WAS NOT my config or PF but in fact it was the data centre config and not managed by me.

Not nearly enough information there.

Is this 1.2.3 or 2.0? Is this i386 or amd64? What kind of hardware is it? (ifconfig -a would help)

I found that it doesn't matter. I have 7 pfsense routers all working perfectly now. I found that I needed to uncheck the 'Prefer Old IPsec SAs'.

In some places pptp, l2tp and ipsec is blocked via firewall rules, openvpn is quite hard to block, unless you block https also. Only my 2 cents

Try this….

http://confoundedtech.blogspot.com/2011/08/android-nexus-one-ipsec-psk-vpn-with.html

After a few days of testing I can say I have it running reliably now, too. I can connect with my iPad, iPhone and with the built in Cisco IPSec client in OS X with the setup found in the previously mentioned post (http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558)

As my effort to contribute for this to become a wiki entry, here are the two screenshots of the firewall rules I needed to get traffic flowing after I succeeded in connectiong via IPSec:

The first screenshot is a floating rule, passing all traffic from the ipsec interface to my lan interface (which happens to be a bridge of two interfaces, so it is called LANBRIDGE, but you might wanna just use your default "LAN" interface).

The second screenshot is the firewall rule in the ipsec tab of the firewall. I think it gets created by default, but if not, then set it up as I did, it works :)


Hi probie,

Can you post the specific modifications you made to Phase 2?  My boss wants to do something similar and haven't worked much with IPSec VPNs (although my OpenVPN mesh is working quite well).

Thanks,
JoelC

What do you have in mind?

Jul 8 14:02:22 racoon: [14.99.207.196] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Jul 8 14:02:25 racoon: [Unknown Gateway/Dynamic]: ERROR: Invalid exchange type 243 from 14.99.207.196[500]. Jul 11 21:04:21 racoon: [189.231.225.24] ERROR: unknown Informational exchange received.

Those kinds of errors are generally indicative of a mismatch in phase 1 settings, especially Main Mode/Aggressive Mode.

It could be someone probing for any IPsec systems out there, or just port scanning, or who knows. As long as you have lengthy PSKs (or certificates) and other such protections on IPsec, you should be fine.

How?

Thanks for the quick reply.

The users we are authenticating with are all in group "admins." Doesn't that provide blanket permissions? We added the specific "VPN IPSec XAuth" permission (seems like a good idea); but we still have a bad auth failure.

On a "why not?" whim we changed the client ID string used in Phase 1 to match the username provided for Xauth. That didn't help either. Still failing with bad auth.