like i said, many providers and home routers are blocking esp-traffic, therefore nat-traversal could be a solution. since many networks like hotels, etc.. doesnt allow any traffic appart from http(s) via a proxy, even nat-t would fail. i know of a company which does ipsec over https, like you could do openvpn over https, encapsulating the payload in a ssl-header for avoiding these problems, but how this works exactly, i have no idea.. Glad that's running for you..

Thanks for the tip, that did the trick!  :D

@szop please be aware that by enabling "Provide a list of accessible networks to clients" you do lose your default route trough your tunnel and all of your traffic apart from the traffic eventually defined in the phase 2 local subnet will NOT be sent trough your tunnel.

ok.. maybe that will work. but what is with my iOS devices? For them i have to use PSK + XAuth. And this isn´t possible with a second phase 1  :( i forgot to say that i´m using the latest 2.0 RC1 build. edit: ok, now i´m using only PSK´s +Xauth for the roadwarrior connections and it´s working like a charme with greenbow and iOS devices :)

As a follow-up to my own post… By enabling the " Prefer old IPsec SAs " my problem has been resolved. The IPSec connection still tries for multiple SAD entries but falls back to the proper number, two. This config option can be found, in version 1.2.3, in the System menu, under Advanced, in the Miscellaneous config options. Jason

Thank you, it worked!

No under Firewall>Rules, IPsec tab.

Yes, several times. Just make sure the settings match up.

DPD off on the 2.0 side doesn't appear to have made any change for us.

That would do it. :-)

Did you choose the CRL on the OpenVPN server config page? If you make a CRL under the Cert Manager, you still have to tell the OpenVPN instance to use it.

Yeah, that is saying sort of what I said but in a lot more detail. :-) Adding that to pfSense has been discussed, but it's too much work to make it into 2.0.

There will be a manual to set up ipsec with an iPhone and pfsense 2.0 soon, I hope. In the meantime, your best option is using OpenVPN with the OpenVPN export wizard package and Viscosity as OpenVPN client on OS X, as it works flawlessly.

If you're just NATing all that traffic to one IP within the local subnet, and the traffic matches the SPD before NAT, then you can use outbound NAT on IPsec if using 2.0. Otherwise there has never been a way to accommodate that short of doing the NAT on a different system.

same normal tunnel not working for me since upgrade 2.0 RC1,i have to downgrade to 1.2.3

Then you should be able to do that with IPsec in transport mode + a GRE tunnel + some routes. No idea how that would work on the Juniper side, but pfSense should handle it fine.