Solved - for those who are interested:

I made my Certs with XCA (very good Opensource CA solution) … and there i defined inside the Certificate no Subject Alternative Name ... after i created new certs with IP:123.123.123.123 (same as CN) as a alternative name, all works as it should!

Like i said i use this on M0n0wall.
Could it be the type of tunnel?

this is the rest of my ipsec tunnel config

Interface            WAN
Local Subnet        Type Network
                    192.168.0.0 /24
Remote Subnet    192.168.1.0 /24
Remote Gateway    244.244.244.244

Description test

Phase 1 proposal (Authentication)

Negotiation mode  Aggressive
My identifier        My ipadress
Encryption algorithm    3Des
Hash algorithm    SHA1
DH key group    2
Authentication method    pre shared key
Pre-Shared Key      your preshared key  (i use different ones for each tunnel.)

Phase 2 proposal (SA/Key Exchange)

Protocol    ESP
Encryption algorithms    3Des
Hash algorithm    SHA1
PFS key group    off

that is the rest of my config.
I am not able to test pfsense for the tunnel at the moment.

regards,
Johan

Hello, thank you very much for your advice.
Unfortunately I cannot rely on "I assume they are not going to change IPs". In my first post, I said that firewall rules on IPSEC port are not an option. I don't know all of these guys well and some are quite savvy. - This is about highest possible security and not having to spend a dedicated hardware each.
I guess OpenVPN would be the better choice, but some of the users are connecting their IPSec capable DSL routers and of course those don't do OpenVPN. :-(
Maybe there is a more advanced option? Do you know of any options I could feed directly into the config (non-GUI)?

Thanks!

I have started to see this problem now as well on a previously working (not changed IPSec)
tunnel after testing the 1.2 beta / RC versions.

I will do a test with an older version to see if it works again.

///Dan Lundqvist

That's normal and if you search the forum you'll find many posts asking the same question  ;)

Not all guis have all settings at one page. Some vendors prefer to have multiple pages for that and reference one of the settings from another screen. Other vendors hardcode some of the settings and you have to know what they have set them to on the other end. I have pfSense systems connected to several other products via ipsec. It's sometimes hard to find out how to configure them but in the end it always worked for me.

This was discussed yesterday.  Please search before blindly opening forum topics.

It must be at least natting which can cause problems as you have a private IP behind it.

I can confirm that logging UDP traffic works now with Beta 2  ;D

Will test the other problem soon.

Greets

Dave

We're new to pfsense, and just starting to test. What you're describing is possible. You would setup different weights for routes, and Cisco has a tracking feature that would ping an IP address. When the preferred route fails, you would alter the route weight and move the packets over the backup connection.

We are still having this problem  :(,
Not sure if anyone else can help us out but here's what the ASA5510 looks like:

A.A.A.A = Remote LAN

B.B.B.B = Remote public IP

Y.Y.Y.Y = Local LAN

Z.Z.Z.Z = Local public IP

:

ASA Version 7.0(5)

!

interface Ethernet0/0

speed 100

duplex full

nameif PUBLIC

security-level 0

ip address Z.Z.Z.Z 255.255.255.0

!

interface Ethernet0/2

nameif PRIVATE

security-level 100

ip address Y.Y.Y.Y 255.255.255.0

!

access-list PUBLIC_access_in extended permit ip A.A.A.A 255.255.255.0 Y.Y.Y.Y 255.255.255.0
access-list nonat extended permit ip Y.Y.Y.Y 255.255.255.0 A.A.A.A 255.255.255.0
access-list PUBLIC_cryptomap_20 extended permit ip Y.Y.Y.Y 255.255.255.0 A.A.A.A 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map PUBLIC_map 20 match address PUBLIC_cryptomap_20
crypto map PUBLIC_map 20 set peer B.B.B.B crypto map PUBLIC_map 20
set transform-set ESP-3DES-MD5
crypto map PUBLIC_map interface PUBLIC
isakmp identity address
isakmp enable PUBLIC
isakmp policy 10
authentication pre-share
isakmp policy 10
encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 3600
tunnel-group B.B.B.B type ipsec-l2l
tunnel-group B.B.B.B ipsec-attributes  pre-shared-key * 
peer-id-validate nocheck
tunnel-group-map default-group B.B.B.B no vpn-addr-assign dhcp no vpn-addr-assign local

Its help, thanks Heiko…

@heiko:

Scott wrote on the mailing list:

Try a snapshot later today or run this command and reboot:

chmod a+rx /usr/local/bin/*.sh

i've been having same issues alot but after cmd and hoba suggested to check settings i found that lifetime on all routers if off. after adjustment everything works greate… but you gonna have to get settings from the other end of the tunnel to match them on your end.

My question is not about shaping ipsec traffic.. but i think i found the answer:

The original TOS field is copied to the encapsulating IP header, so the qos information still
remains on the encrypted packet and can be routed/queued/prioritized accordingly.

Regards,
Reto

There is a racoon configuration directive called 'log info|debug|debug2'. I added it manually to /var/etc/racoon.conf, killed racoon and started it manually using /usr/local/sbin/racoon -f /var/etc/racoon.conf. Too bad there isn't a GUI option for it somewhere (or is there?)

Anyway, more specifically, by setting it to debug2, I get this:

Jun 29 17:30:58 racoon: DEBUG: 32953411 3a24b070 00000000 00000000 01100400 00000000 0000010c 04000038 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 800c7080 80010007 800e0100 80030001 80020002 80040002 0a000084 8239ea94 e4bf1ad1 3c9a02d3 6103ba0b 50b669b5 8ca55b22 79f90a6f 62d4f840 85632dcb cfa7e7c5 ea5601da 724aa79e 5a8b6997 15739a07 79330d88 948ffa4c 20a19ce6 442538f0 d0182aaa caf80d76 9c47049f 11cd3c72 471e475a c6d675bc ca4a1f7d b1271636 52c30de3 2ac6ea4c bc945bd3 e9683a82 fc5b0d0a 236f2ef8 05000014 99e5be30 5910045b b768c0a6 89ef8c57 0d00000c 011101f4 40936165 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Jun 29 17:30:58 racoon: DEBUG: resend phase1 packet 329534113a24b070:0000000000000000
Jun 29 17:30:58 racoon: DEBUG: ===
Jun 29 17:30:58 racoon: DEBUG: 40 bytes message received from 62.x.y.z[500] to 64.a.b.c[500]
Jun 29 17:30:58 racoon: DEBUG: 00000000 00000000 00000000 00000000 0b100500 f37b30ee 00000028 0000000c 00000000 0100001d
Jun 29 17:30:58 racoon: ERROR: malformed cookie received.

Any idea what might be causing the malformed cookie?

– james