"solved" done  :)

It's not designed that way yet. Search the forum if you need further details. This has been discussed in depth already. When using dynamic endpoints at both ends try using openVPN.

I have seen that error before when the ends of the tunnel are mismatched.  One being main and the other agressive.  I have seen it when I am first setting up the ipsec connections between symantec, linksys, & netgear boxes. RC

This is being addressed on 1.3.

@fastcon68: What VPN clients do you use for IPsec and Open VPN? Is OpenVPN a encrypted VPN solution? Take a look at the documentation on http://www.openVPN.net on how to setup an openVPN client. Reading the example file and the documentation helps to bring the client to run… http://openvpn.net/index.php/documentation/howto.html#client To your question if OpenVPN is an encrypted VPN solution. Did you even take a look at it? From your question it seems to me as if you didnt even bother to read the absolute basics about it. (Like the frontpage of http://www.openvpn.net )

Hello, i have tested the ipsec inoffcial rc5 ( Build 2008/02/15) today. I have run various tests with different builds of 1.2 beta/rcx.: Here are my results: 1. inofficial rc5 – static - main -->  1.2 rc3 – static -- carp-cluster = OK and stable 2. inofficial rc5 – static - main -->  1.2-TESTING-SNAPSHOT-07-21-2007  –static -- carp-cluster = OK and stable 3. inofficial rc5 – static - main -->  1.2 rc2 – static  = OK and stable 3. inofficial rc5 – static - main -->  1.2 rc5 –static = OK and stable 4. inofficial rc5 – static - main -->  1.2 beta 3 –static -- carp-cluster = OK and stable 5. inofficial rc5 – aggressive -- mobile -- pfs-on --> inofficial rc5 – mobile-pfsense-server -- pfs-on = OK and stable 6. inofficial rc5 – aggressive -- mobile -- pfs--off --> inofficial rc5 –mobile-pfsense-server --pfs-off = OK and stable Ok, the actually rc5(inofficial) ipsec was fast and stable….... Good Job! Greetings Heiko

sorry, under the weather.  Will try to post tonight. RC

Sorry, forgot to mention the pfsense version, it's 1.2-RC4 built on Tue Jan 15 23:05:07 EST 2008 PFS key group, if that's what you mean, has been set to off on the server. I'm not sure how you set PFS on the OS X client, it's somewhat limited in options. Tried setting it to 1,2 and 5 as well, but it seemed to have no effect.

Thank  you guys.

Thanks for letting me know that Seth.

The upgrade did not help, so I decided to drop to eh command shell and run racoon with some more debugging enabled. That showed me what the problem was immediately. I had incorrectly specified the the remote LAN as 10.0.0.1/24 not 10.0.0.0/24 Correcting this sill mistake in my configuration sorted it out. Regards Ben

Thanks razor2000, for the useful information that you have provided me.

I have a customer with a similar type of setup and it's working fine.  He is using roadrunner and the ip does change.  I setup dynamic DNS on his end and just up date the pf-sense end when it changes. RC

From racoon2 recommandations: 1. Recommended system configuration == ================================ Both NetBSD and FreeBSD have the kernel state, "net.key.blockacq_count"   to setup the behavior how many packet the kernel will block until the   suitable SA will be installed.  The state sometimes disturbs   retransmission of the key exchange message.  We recommend you to set   it to zero. # sysctl -w net.key.blockacq_count=0 And FreeBSD also has the kernel state, "net.key.preferred_old" to use an   old SA preferred to a new SA.  The state sometimes disturbs   interoperability.  We recommend you to set it to zero. # sysctl -w net.key.preferred_oldsa=0

@Blobot: UP ! :) Could you please send me a short description of how you mananged to get it up and running? Thanks!

@heiko: First, "no compression" on the nortel and please try phase 1 "28800" and phase 2 "86400". Why shuld phase 2 last longer than phase 1? Isn't that oposit?