hmm.. still no luck for me =(

I increased the debugging in racoon and got a couple of more messages.

Feb 26 15:27:15 racoon: DEBUG: compute IV for phase2
Feb 26 15:27:15 racoon: DEBUG: phase1 last IV:
Feb 26 15:27:15 racoon: DEBUG: 4b27456a 80e0fb18 7776ecb0
Feb 26 15:27:15 racoon: DEBUG: hash(md5)
Feb 26 15:27:15 racoon: DEBUG: encryption(des)
Feb 26 15:27:15 racoon: DEBUG: phase2 IV computed:
Feb 26 15:27:15 racoon: DEBUG: 3b4841e3 df96bfd9
Feb 26 15:27:15 racoon: DEBUG: begin decryption.
Feb 26 15:27:15 racoon: DEBUG: encryption(des)
Feb 26 15:27:15 racoon: DEBUG: IV was saved for next processing:
Feb 26 15:27:15 racoon: DEBUG: df27599a 375cddd2
Feb 26 15:27:15 racoon: DEBUG: encryption(des)
Feb 26 15:27:15 racoon: DEBUG: with key:
Feb 26 15:27:15 racoon: DEBUG: e9eb3b33 990da27c
Feb 26 15:27:15 racoon: DEBUG: decrypted payload by IV:
Feb 26 15:27:15 racoon: DEBUG: 3b4841e3 df96bfd9
Feb 26 15:27:15 racoon: DEBUG: decrypted payload, but not trimed.
Feb 26 15:27:15 racoon: DEBUG: 0b000014 5ab258f3 61fe90e9 40ee109a 9bccc248 000001c8 00000001 0304000e 0f6aa0b7 0a0001b8 00000001 00000001 00000000 00000000 00000000 00000000 00000000 00000000 00000000 dca20c81 d6c60980 a0e40d81 20297a80 b3677aa5 a0e40d81 00000000 38de0d81 b1a44d2e 00000000 0a000120 0a0001b8 2ca30c81 a8670a80 01000000 a0e40d81 20000000 20297a80 b3677aa5 00000000 a0e40d81 c8020000 2ca30c81 b3677aa5 80a30c81 e4020000 2ba30c81 c02b7a80 00000001 a0e40d81 c8020000 a8a30c00 a8a30c81 609d0a80 8ca30c81 a0e40d81 20297a80 d0277a80 00000000 00000000 a0e40d81 94a30c81 d0277a80 00000000 00000000 8ca30c81 b3677aa5 38de0d81 00000100 f0287a80 82020000 9eb3eebc cf3a48a1 e0020000 a3340080 f02c6d80 294db8c8 0eed7940 2aff7afe 6fec3335 08102001 a57a67b3 e0020000 eca30c81 bcfa0880 d0277a80 543779f2 d4f75f51 68894780 00000000 00000000 00000000 68894780 f4013412 543779f2 7564702f 302f3530 30003412 78563412 78563412 f8a30c81 9b270080 00000000 00000000 00000000 9cf90880 00000000 cccccccc 89000000 00000000 edfead
Feb 26 15:27:15 racoon: DEBUG: padding len=1
Feb 26 15:27:15 racoon: DEBUG: skip to trim padding.
Feb 26 15:27:15 racoon: DEBUG: decrypted.
Feb 26 15:27:15 racoon: DEBUG: 294db8c8 0eed7940 2aff7afe 6fec3335 08100501 7776ecb0 000001fc 0b000014 5ab258f3 61fe90e9 40ee109a 9bccc248 000001c8 00000001 0304000e 0f6aa0b7 0a0001b8 00000001 00000001 00000000 00000000 00000000 00000000 00000000 00000000 00000000 dca20c81 d6c60980 a0e40d81 20297a80 b3677aa5 a0e40d81 00000000 38de0d81 b1a44d2e 00000000 0a000120 0a0001b8 2ca30c81 a8670a80 01000000 a0e40d81 20000000 20297a80 b3677aa5 00000000 a0e40d81 c8020000 2ca30c81 b3677aa5 80a30c81 e4020000 2ba30c81 c02b7a80 00000001 a0e40d81 c8020000 a8a30c00 a8a30c81 609d0a80 8ca30c81 a0e40d81 20297a80 d0277a80 00000000 00000000 a0e40d81 94a30c81 d0277a80 00000000 00000000 8ca30c81 b3677aa5 38de0d81 00000100 f0287a80 82020000 9eb3eebc cf3a48a1 e0020000 a3340080 f02c6d80 294db8c8 0eed7940 2aff7afe 6fec3335 08102001 a57a67b3 e0020000 eca30c81 bcfa0880 d0277a80 543779f2 d4f75f51 68894780 00000000 00000000 00000000 68894780 f4013412 543779f2 7564702f 302f3530 30003412 78563412 78563412 f8a30c81 9b270080 00000000 000000
Feb 26 15:27:15 racoon: DEBUG: HASH with:
Feb 26 15:27:15 racoon: DEBUG: 7776ecb0 000001c8 00000001 0304000e 0f6aa0b7 0a0001b8 00000001 00000001 00000000 00000000 00000000 00000000 00000000 00000000 00000000 dca20c81 d6c60980 a0e40d81 20297a80 b3677aa5 a0e40d81 00000000 38de0d81 b1a44d2e 00000000 0a000120 0a0001b8 2ca30c81 a8670a80 01000000 a0e40d81 20000000 20297a80 b3677aa5 00000000 a0e40d81 c8020000 2ca30c81 b3677aa5 80a30c81 e4020000 2ba30c81 c02b7a80 00000001 a0e40d81 c8020000 a8a30c00 a8a30c81 609d0a80 8ca30c81 a0e40d81 20297a80 d0277a80 00000000 00000000 a0e40d81 94a30c81 d0277a80 00000000 00000000 8ca30c81 b3677aa5 38de0d81 00000100 f0287a80 82020000 9eb3eebc cf3a48a1 e0020000 a3340080 f02c6d80 294db8c8 0eed7940 2aff7afe 6fec3335 08102001 a57a67b3 e0020000 eca30c81 bcfa0880 d0277a80 543779f2 d4f75f51 68894780 00000000 00000000 00000000 68894780 f4013412 543779f2 7564702f 302f3530 30003412 78563412 78563412 f8a30c81 9b270080 00000000 00000000 00000000 9cf90880 00000000 cccccccc 89000000 00000000 edfeadde 00000000 00000000 00000000 000000
Feb 26 15:27:15 racoon: DEBUG: hmac(hmac_md5)
Feb 26 15:27:15 racoon: DEBUG: HASH computed:
Feb 26 15:27:15 racoon: DEBUG: 5ab258f3 61fe90e9 40ee109a 9bccc248
Feb 26 15:27:15 racoon: DEBUG: hash validated.
Feb 26 15:27:15 racoon: DEBUG: begin.
Feb 26 15:27:15 racoon: DEBUG: seen nptype=8(hash)
Feb 26 15:27:15 racoon: DEBUG: seen nptype=11(notify)
Feb 26 15:27:15 racoon: DEBUG: succeed.
Feb 26 15:27:15 racoon: ERROR: unknown notify message, no phase2 handle found.
Feb 26 15:27:15 racoon: DEBUG: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=0f6aa0b7(size=4).
Feb 26 15:27:25 racoon: DEBUG: 740 bytes from 222.222.222.222[500] to 111.111.111.111[500]
Feb 26 15:27:25 racoon: DEBUG: sockname 222.222.222.222[500]
Feb 26 15:27:25 racoon: DEBUG: send packet from 222.222.222.222[500]
Feb 26 15:27:25 racoon: DEBUG: send packet to 111.111.111.111[500]
Feb 26 15:27:25 racoon: DEBUG: 1 times of 740 bytes message will be sent to 111.111.111.111[500]
Feb 26 15:27:25 racoon: DEBUG: 294db8c8 0eed7940 2aff7afe 6fec3335 08102001 a57a67b3 000002e4 1c43f877 ebfc8f3a 54065e15 07abf452 315cffa4 887305ce b6f5c26f c1a0cd31 61a1721b bc0df24e ce094267 5fc3c94a d1554af7 bd7087cf 945d88d9 fc0ee6fd 1647309b fb523882 ab1ea7af 2d7a3d89 578e3b14 1e097dfe 58db7db8 e788ea5b ab0438d1 a94792e5 addc4f21 eaab621a bdf8f5db 25ce6b85 085520f4 edd574d8 38804f11 e9565456 494f7844 2ff5e40d 9ec47e4b 0a24a4a1 974a1e2a f05c276e 8476bee5 beb74b78 c0fe1968 e8ee9315 d4ea2689 1961753d 8a7fb164 fb0ba8ee ad731045 35d22219 f31ad580 2f31739b 6a0b6c69 01faedfb 8141c308 f3957813 2a3dc623 7b3c8e7e 4bcb0230 681e260a 5c70de6c d46b361a 4be14556 0eab9e41 40987ca1 ed2d60c2 1b360fe0 47dcc708 c3ade704 c0a2ba5e d04895d5 c536529b 237a3589 3f1782a0 24ae286c f3866414 4dc69996 81099725 e1f2dc59 0e7e2fda 36b69512 e9b99ce2 0393acda c01e44b8 973cdd32 4e54c7fa 8fb66d56 146ca3db 3328274c f8ad8c6e e2726432 539f9d66 dd17f50d a7f53c87 40821ac1 a8366425 e42244bc 84d54a12 318c99e3 4ee0b715 a59abb41 a950181d 89e358
Feb 26 15:27:25 racoon: DEBUG: resend phase2 packet 294db8c80eed7940:2aff7afe6fec3335:0000a57a
Feb 26 15:27:35 racoon: DEBUG: 740 bytes from 222.222.222.222[500] to 111.111.111.111[500]
Feb 26 15:27:35 racoon: DEBUG: sockname 222.222.222.222[500]
Feb 26 15:27:35 racoon: DEBUG: send packet from 222.222.222.222[500]
Feb 26 15:27:35 racoon: DEBUG: send packet to 111.111.111.111[500]
Feb 26 15:27:35 racoon: DEBUG: 1 times of 740 bytes message will be sent to 111.111.111.111[500]
Feb 26 15:27:35 racoon: DEBUG: 294db8c8 0eed7940 2aff7afe 6fec3335 08102001 a57a67b3 000002e4 1c43f877 ebfc8f3a 54065e15 07abf452 315cffa4 887305ce b6f5c26f c1a0cd31 61a1721b bc0df24e ce094267 5fc3c94a d1554af7 bd7087cf 945d88d9 fc0ee6fd 1647309b fb523882 ab1ea7af 2d7a3d89 578e3b14 1e097dfe 58db7db8 e788ea5b ab0438d1 a94792e5 addc4f21 eaab621a bdf8f5db 25ce6b85 085520f4 edd574d8 38804f11 e9565456 494f7844 2ff5e40d 9ec47e4b 0a24a4a1 974a1e2a f05c276e 8476bee5 beb74b78 c0fe1968 e8ee9315 d4ea2689 1961753d 8a7fb164 fb0ba8ee ad731045 35d22219 f31ad580 2f31739b 6a0b6c69 01faedfb 8141c308 f3957813 2a3dc623 7b3c8e7e 4bcb0230 681e260a 5c70de6c d46b361a 4be14556 0eab9e41 40987ca1 ed2d60c2 1b360fe0 47dcc708 c3ade704 c0a2ba5e d04895d5 c536529b 237a3589 3f1782a0 24ae286c f3866414 4dc69996 81099725 e1f2dc59 0e7e2fda 36b69512 e9b99ce2 0393acda c01e44b8 973cdd32 4e54c7fa 8fb66d56 146ca3db 3328274c f8ad8c6e e2726432 539f9d66 dd17f50d a7f53c87 40821ac1 a8366425 e42244bc 84d54a12 318c99e3 4ee0b715 a59abb41 a950181d 89e358
Feb 26 15:27:35 racoon: DEBUG: resend phase2 packet 294db8c80eed7940:2aff7afe6fec3335:0000a57a
Feb 26 15:27:45 racoon: ERROR: 111.111.111.111 give up to get IPsec-SA due to time up to wait.
Feb 26 15:27:45 racoon: DEBUG: an undead schedule has been deleted.

It seems like some packet wont get sent.

Anyone?

There is nothing like real life testing but I have a feeling that this machine should do the job.

@maynarja:

I am looking into this configuration and will post the results. If anyone has a comment please post.

PIX Config
access-list IPSEC_21 permit ip 0.0.0.0 0.0.0.0 10.2.2.0 255.255.255.0
same-security-traffic permit intra-interface

pfSense
remote 0.0.0.0 0.0.0.0
remote gw [staticPublicIP]

use 0.0.0.0 0.0.0.0 to force all traffic through the tunnel?
use "same-security-traffic permit intra-interface" to allow all traffic to return out the same interface it is recieved?

i had a configuration same as this running on pfsense a yer or so ago for a test works fine.
had the modify the config.xml file to add the 0.0.0.0 into the remote area but all was fine on reboot

so on the side 10.255.0.x tell it that the remote subnet site is /8

and on the 10.x.x.x side tell it that the remote subnet is /24
wont work?

Good guess  ;D

unless you run one of the latest snapshots pfSense doesn't support IPSEC-filtering (this was added some days ago to the latest snapshots). As you mention that it works with other clients I doubt that the problem is at the pfSense end.

Thank you!

Wonder if there is an option for the generate policy deep inside pfsense =0

I have not yet used a checkpoint client yet.  :(

Oh, any chance you have a lifetime mismatch somewhere between the concentrator and the clients?

We need more details on your setup. This is not enough to even start a wild guess.

I agree. This would be a nice addition. I have a pfSense acting as concentrator for 12 other pfSense's joining as mobile clients and it's pretty confusing to tell which one is which  ;)

Sounds like a freebsd bug then. Search the appropriate lists for similiar problems or statements on this.

This has been discussed elsewhere already. Please search for this discussion and why it won't work. Loadbalancing over several tunnels won't work.

Guess this is untested. However I have no issues running ipsectunnels at the pfsense itself and using ipsec clients at lan to go somewhere else so far. Give it a try and let us know.

I'm in the same boat.

PC with Cisco VPN client, configured for Group Auth, Tunneling IPSEC over UDP.

I'm unable to get the desktop client to work behind the PFSENSE box (tried 1.01 and todays CVS). If I put the VPN client in FRONT of the box, IE on the public IP, works first time, like a charm. Dialup, works find. Sprint Wireless Modem, works fine. Behind the PFSENSE box, no work.

I've tried NAT/Port forwarding, TCP/UDP 500, TCP/UDP 10000, ESP, etc. No work.

I'd be happy with EITHER the VPN client working, or the PFSense box establishing the connection. Either would serve what I  need to accomplish. HELP!

or use the vpn ptpp server on youre pfsense server and the ptpp client on youre pc's

OpenVPN would be nice. Stupid sonicwalls.

Are there any open source firewalls that will do dynamic ipsec endpoints?

@decibel83:

racoon: ERROR: such policy does not already exist: "192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=out"

This is usually only a debug message that can be ignored. If it works one way the tunnel should be up fine. Does the netgear support some filtering for the vpn traffic? Maybe you need to create a rule to allow traffic? The pfSense currently can't filter VPN traffic so it can't be an issue on the pfSense end of the connection. Are you trying to ping from behind the netgear or from the netgear itself? Usually devices encapsulating the connection can't use it directly without adding a fake static route or pinging from their LAN IP.

try "Prefer old IPsec SAs  " from system>advanced and see if this has a positive effect on reestablishing the link.

fixed my problem with my sonicwall tz170 & pfsense.. on the pfsense side of the tunnel, when I was entering in the remote subnet, I left the subnet class with the default of 32, when it should have been 24.  When I changed that everything worked like it should!    Imagine that..

Cool  :D