Great work!  Can you submit this to freebsd-net@freebsd.org as well for comments / directions from the community on how we can get this commited to the official FreeBSD tree? Thanks for all the work on this!

OK, sorry, yes, mobile clients are working  not in main mode…..

I've been trying to get a tunnel up between pfsense and ipcop and am also getting the same message in my ipsec logs. Any ideas? IPSEC Log Dec 7 16:32:44 racoon: INFO: unsupported PF_KEY message REGISTER Dec 7 16:32:44 racoon: INFO: fe80::200:e8ff:fe12:ba22%dc0[500] used as isakmp port (fd=19) Dec 7 16:32:44 racoon: [Self]: INFO: 85.189.247.234[500] used as isakmp port (fd=18) Dec 7 16:32:44 racoon: [Self]: INFO: 172.31.15.8[500] used as isakmp port (fd=17) Dec 7 16:32:44 racoon: INFO: fe80::202:a5ff:fecc:7d08%fxp0[500] used as isakmp port (fd=16) Dec 7 16:32:44 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15) Dec 7 16:32:44 racoon: INFO: ::1[500] used as isakmp port (fd=14) Dec 7 16:32:44 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13) Dec 7 16:32:44 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) Dec 7 16:32:44 racoon: INFO: @(#)ipsec-tools 0.6.7 (http://ipsec-tools.sourceforge.net) /var/etc/racoon.conf: path pre_shared_key "/var/etc/psk.txt"; path certificate  "/var/etc"; remote 80.177.152.212 {         exchange_mode main;         my_identifier address "85.189.247.234"; peers_identifier address 80.177.152.212;         initial_contact on;         support_proxy on;         proposal_check obey; proposal {                 encryption_algorithm 3des;                 hash_algorithm sha1;                 authentication_method pre_shared_key;                 dh_group 2;                 lifetime time 3600 secs;         }         lifetime time 3600 secs; } sainfo address 172.31.15.0/24 any address 10.101.0.0/16 any {         encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;         authentication_algorithm hmac_sha1,hmac_md5;         compression_algorithm deflate;         lifetime time 28800 secs; }

I think I posted on another one of your posts, I will get some additional help for you tomorrow with my working configurations posted on here.

Let's try to narrow down a few things.  What ASA Model and OS version are you running?  I would suggest limiting the protocol/encryption/hash to ESP-3DES-MD5 and disable or disallow all the others.  When phase 1 completes on the Cisco side and you try to ping through from the Cisco LAN to the pfSense LAN, does anything change (TTL?, RTT?)? I will lab this up with one of my work ASA's to my home pfSense to offer some additional assistance.

Oh, well yeah that'd help.  :)  I was assuming you had the proper rules in place and thinking it possibly was a FTP proxy related issue (though VPN subnets are supposed to bypass that, obviously that's working correctly).

Hi, Unfortunately I have given up on pfsense, and done an install using voyage linux to my machine and done this using traditional iptables/racoon, etc which works no problem. Thanks again for your feedback.

OK at the other end it is a cisco ASA, they only want to see 3 host on our LAN. they try to implement this: Extended IP access list ACL-XXX 10 permit ip 150.2.0.0 0.0.255.255 host 172.16.3.14 20 permit ip 150.2.0.0 0.0.255.255 host 172.16.3.16 30 permit ip 150.2.0.0 0.0.255.255 host 172.16.3.15 any idea ?

Problem still exist in RC3. I really like the new IPsec connection status symbols and the IPsec highlighting in the log files. It would be great if the mobile clients could be shown also. [image: IPsec.png] [image: IPsec.png_thumb]

I recently did this.  It was really a challenge.  I was using a netgear 380 vpn router.  It was a realy pain to get configured.  It took me about 14 hours to get it running.  The vpn's tunnels between pfsense and the netgear about killed me.  RC

I am using the following build without any issues. 1.2-RC3 built on Thu Oct 18 15:19:54 EDT 2007 RC

If it's OpenVPN related then it should go to that category: http://forum.pfsense.org/index.php/board,39.0.html The top most Sticky by SUllrich handles creating CERTs as your subject suggests. Later on you write about KEYs…

but my clients is able to connect from any internet cafe or a dialup

I am using 1.2-RC2  and i get this error To sunny chowdhry Please tell me how to configure both ends of the tunnel so i can get it to work