Sorry, forgot to mention the pfsense version, it's 1.2-RC4 built on Tue Jan 15 23:05:07 EST 2008

PFS key group, if that's what you mean, has been set to off on the server. I'm not sure how you set PFS on the OS X client, it's somewhat limited in options. Tried setting it to 1,2 and 5 as well, but it seemed to have no effect.

Thank  you guys.

Thanks for letting me know that Seth.

The upgrade did not help, so I decided to drop to eh command shell and run racoon with some more debugging enabled.

That showed me what the problem was immediately. I had incorrectly specified the the remote LAN as 10.0.0.1/24 not 10.0.0.0/24 Correcting this sill mistake in my configuration sorted it out.

Regards

Ben

Thanks razor2000, for the useful information that you have provided me.

I have a customer with a similar type of setup and it's working fine.  He is using roadrunner and the ip does change.  I setup dynamic DNS on his end and just up date the pf-sense end when it changes.
RC

From racoon2 recommandations:

1. Recommended system configuration
== ================================

Both NetBSD and FreeBSD have the kernel state, "net.key.blockacq_count"
  to setup the behavior how many packet the kernel will block until the
  suitable SA will be installed.  The state sometimes disturbs
  retransmission of the key exchange message.  We recommend you to set
  it to zero.

# sysctl -w net.key.blockacq_count=0

And FreeBSD also has the kernel state, "net.key.preferred_old" to use an
  old SA preferred to a new SA.  The state sometimes disturbs
  interoperability.  We recommend you to set it to zero.

# sysctl -w net.key.preferred_oldsa=0

@Blobot:

UP ! :)

Could you please send me a short description of how you mananged to get it up and running?
Thanks!

@heiko:

First, "no compression" on the nortel and please try phase 1 "28800" and phase 2 "86400".

Why shuld phase 2 last longer than phase 1? Isn't that oposit?

May I suggest you read here:

http://en.wikipedia.org/wiki/Broadcast_%28disambiguation%29

Follow the links under section "In computer networking"

1.2 is frozen.

No, that will arrive in 1.3.

I tried setting up an aggressive tunnel with sha1, des, email address identifier, and shared key all matching… setup the subnets correctly on both sides. (same settings worked perfectly on my netscreen)

I then tried main mode with the same settings as above.

I tried aggressive with 3des, md5, as well as main mode with 3des, md5 all the other settings are the same. I get the same thing every time I save the ipsec information in the log file.

Last 50 IPSEC log entries
Jan 21 11:28:29 racoon: ERROR: configuration read failed
Jan 21 11:28:29 racoon: ERROR: fatal parse failure (1 errors)
Jan 21 11:28:29 racoon: ERROR: /var/etc/racoon.conf:5: "on" syntax error
Jan 21 11:28:29 racoon: ERROR: not acceptable Identity Protection mode
Jan 21 11:28:26 racoon: ERROR: failed to process packet.
Jan 21 11:28:26 racoon: ERROR: failed to get valid proposal.
Jan 21 11:28:26 racoon: ERROR: no suitable proposal found.
Jan 21 11:28:26 racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = SHA:MD5
Jan 21 11:28:26 racoon: WARNING: No ID match.
Jan 21 11:28:26 racoon: INFO: begin Aggressive mode.
Jan 21 11:28:26 racoon: [Marc Avila]: INFO: respond new phase 1 negotiation: 68.127.230.124[500]<=>71.243.199.124[500]
Jan 21 11:28:25 racoon: ERROR: failed to process packet.
Jan 21 11:28:25 racoon: ERROR: failed to get valid proposal.
Jan 21 11:28:25 racoon: ERROR: no suitable proposal found.
Jan 21 11:28:25 racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = SHA:MD5
Jan 21 11:28:25 racoon: INFO: begin Aggressive mode.
Jan 21 11:28:25 racoon: INFO: respond new phase 1 negotiation: 68.127.230.124[500]<=>75.6.178.20[500]
Jan 21 11:28:22 racoon: ERROR: not acceptable Identity Protection mode
Jan 21 11:28:20 racoon: ERROR: failed to process packet.
Jan 21 11:28:20 racoon: ERROR: failed to get valid proposal.
Jan 21 11:28:20 racoon: ERROR: no suitable proposal found.
Jan 21 11:28:20 racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = SHA:MD5
Jan 21 11:28:20 racoon: INFO: begin Aggressive mode.
Jan 21 11:28:20 racoon: INFO: respond new phase 1 negotiation: 68.127.230.124[500]<=>68.238.74.36[500]
Jan 21 11:28:18 racoon: ERROR: failed to process packet.
Jan 21 11:28:18 racoon: ERROR: failed to get valid proposal.
Jan 21 11:28:18 racoon: ERROR: no suitable proposal found.
Jan 21 11:28:18 racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = SHA:MD5
Jan 21 11:28:18 racoon: INFO: begin Aggressive mode.
Jan 21 11:28:18 racoon: INFO: respond new phase 1 negotiation: 68.127.230.124[500]<=>66.189.169.99[500]
Jan 21 11:28:14 racoon: ERROR: not acceptable Identity Protection mode
Jan 21 11:28:10 racoon: ERROR: failed to process packet.
Jan 21 11:28:10 racoon: ERROR: failed to get valid proposal.
Jan 21 11:28:10 racoon: ERROR: no suitable proposal found.
Jan 21 11:28:10 racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = SHA:MD5
Jan 21 11:28:10 racoon: INFO: begin Aggressive mode.
Jan 21 11:28:10 racoon: INFO: respond new phase 1 negotiation: 68.127.230.124[500]<=>75.6.178.20[500]
Jan 21 11:28:07 racoon: ERROR: not acceptable Identity Protection mode
Jan 21 11:28:07 racoon: INFO: unsupported PF_KEY message REGISTER
Jan 21 11:28:05 racoon: ERROR: failed to process packet.
Jan 21 11:28:05 racoon: ERROR: failed to get valid proposal.
Jan 21 11:28:05 racoon: ERROR: no suitable proposal found.
Jan 21 11:28:05 racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = SHA:MD5
Jan 21 11:28:05 racoon: INFO: begin Aggressive mode.
Jan 21 11:28:05 racoon: INFO: respond new phase 1 negotiation: 68.127.230.124[500]<=>68.238.74.36[500]
Jan 21 11:28:05 racoon: INFO: unsupported PF_KEY message REGISTER
Jan 21 11:28:03 racoon: ERROR: failed to process packet.
Jan 21 11:28:03 racoon: ERROR: failed to get valid proposal.
Jan 21 11:28:03 racoon: ERROR: no suitable proposal found.
Jan 21 11:28:03 racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = SHA:MD5

Set protocol to any.
In your posted rule you have as protocol TCP.

How about is there a simple netopia ipsec to pfsense how to? I have read on forums about people getting it working with monowall so it should be about the same situation right?

Has anyone else gotten a netopia to Pfsense ipsec tunnel working?

1.2-RC4 has this problem fixed. Please upgrade.