Then you should be able to do that with IPsec in transport mode + a GRE tunnel + some routes. No idea how that would work on the Juniper side, but pfSense should handle it fine.

If and only if I understood you right.. Please see the attachment picture ;)

Ipsec.jpg
Ipsec.jpg_thumb

Got it to connect finaly with this post:
http://forum.pfsense.org/index.php/topic,32319.0.html

I added VPN Shell access to the user i was using in the IPSec config.  Now I have the iphone on a diffrent network 192.168.197.0/24 than my main network 192.168.196.0/24.  I need to figure out how to route the traffic from the 192.168.197.0/24 network to my 192.168.196.0/24 network.  This all pivots around the setting in the VPN:Ipsec:Mobile under Client configuration (mode-cfg) virtual address pool.  Provide a virtual IP address to clients.

Because you put in a different network you need a route to your lan network.  I am not sure how to make a route to the lan with pfsense(I am a cisco guy).  Almost need to setup a virtual interface and have a gateway address?  Any advice?

Attached a screenshot of the settings I have.

VPN-IPSEC-Mobile.JPG
VPN-IPSEC-Mobile.JPG_thumb

Seems i can access some HTTPS site but very very slow, the main thing i am trying to access is a Vsphere cluster but as the VPN is so slow just times out.

I have tried alot to try and get this working but in the end have just put the VPN on a £20 router for the minute back to the ASA and it now works fine!?

I don't think that our IPsec daemon supports keys like that. OpenSWAN does work with PSK mode, however.

Ok…so this config DOES actually work...I had to set my vmware adapter to 'allow promiscuous mode' (doh), now I can ping hosts on both sides.

Hope this helps anyone with a similar issue!

If you specify a keep-alive IP that's in the remote subnet (inside the remote phase 2 network), it will bring up the tunnels automatically every time.

The connect button just sends a ping on the tunnel, nothing fancy.

Hi,
Can you take a SS of both of your configs or write them out here?
Sounds like its probably a subnet thing or possibly another problem.
Also.. Are there any errors in the logs under the Status->System Logs -> IPsec section?

-E

@submicron:

Great contribution!  Sticked for posterity and to encourage everyone who has IPSEC issues to immediately PM Eureka for help :D

Thanks Submicron I had no idea this got stickied until I came here to post my "update"  8)
Sorry if anyone has had any problems with this. I found a bug today with the "General" configuration page of the ShrewSoft VPN client (on a windows 7 system). It forced me to use a 255.255.255.254 netmask to get traffic across to the remote network. Ive updated the tutorial on the site to include the "working" netmask.

-E

Did you change the "interface" to be the CARP VIP? Or did you just change the Identifier?

I have now tested it by configuring the internal PCs to VPN into the internal network and routing all traffic through it.  Without ripping the pfSense firewall out and rebuilding it as a manual FreeBSD setup, I don't know how else to fix the problem.

Great info, thank you!  :)