Currently you need at least one static IP to create IPSEC Tunnels (have a look at http://pfsense.com/mirror.php?section=tutorials/mobile_ipsec/ ).

OK, thank you very much!
I will try and I rewrite you if I will have some problem…

I reinstalled all system and now its works. I think that's a bug.

Since there are so many views of this topic I post what finally worked for me and might help others.
Maybe Hoba adds it to his tutorial…

both sides:
RULE: AH          *        *        WAN address              *      *          AH for IPsec
RULE: ESP        *        *        WAN address              *      *          ESP for IPsec
RULE: UDP        *        *        WAN address              500    *          UDP500 for IPsec

If you use the settings from pfSense (which is ESP as Phase 2 protocol), you don't need the AH rule.

Do not use any NAT rules, this is not necessary and NAT-traversal (NAT-T) of IPsec is a task on its own.
This usually would require UDP4500 and other things I am not familiar with.
Have a look here:  http://en.wikipedia.org/wiki/NAT_traversal

Have a look at the free IPSEC clients mentioned here: http://forum.pfsense.org/index.php/topic,2009.msg11516.html#msg11516

For OpenVPN have a look at these GUI clients:
http://openvpn.se/
http://openvpn.net/gui.html

I put seconds instead the IP…
Now works !
thanks very much.

Giacomo

IPSEC issue.  Research aggressive mode + dynamic dns domain names.

Add a firewall rule like this at the loadbalancing pfSense (top of the firewallrules):
pass, protocol any, source lan subnet, destination network 10.0.0.0/24, gateway default

This will fix it.

I found a solution to my problem, I do not think it is a good solution but it works good for the moment.

on the pfsense (1.0.1) I just activated the "Enable advanced outbound NAT".

Thear hoba:

Plz need help, cant resolve this problem.I will become crazy
My config is the next.

LAN
      |
  (PfSense 1)
  |              |
ISP1
(WAN)    ISP2 (OPT-WAN)
  |              |
  |              |
(  Internet )
      |   
      |   
      ISP3
      |   
      |   
    pfSense2 (waiting for mobile clients)
      |
      LAN

Both pfsense have static ip. pfsense-1 have load-balancer & squid The tunnel is stablish with ISP1 and ISP3 using in pfsense3 mobile clients. At less ISP1 is down then Switch to ISP2

The nexts problem happend

when ISP1 is down:

A) I change manually the IPSEC VPN Start Point to ISP2, (Now Tunnel is between ISP2 and 
              ISP), but not connection is stablish at less add the next static route : 
                      <opt1>      <destination 32="" end="" point="">      <opt1-gw>B) PFSENSE Can't resolve DNS at less add the next statis route:
                      <opt1>      <destination 32="" dns="" server="">      <opt1-gw>C) Squid (Running in pfsense 1) don't work any form.

Problems A & B resolve with staric route, C can't but when ISP1 is up again, i need change again the IPSEC VPN Start Point (because isp1 is better)  and delete all static route. The really problem is write and delete a static continuously with time I criticize of production that this uses.

My Idea is only change the ISP START POINT MANUALLY (ONLY CHANGE COMBO IN IPS-VPN) and all work fine. It is there possible? Is not, know u other solution. Any solution for squid when WAN is DOWN?</opt1-gw></destination></opt1></opt1-gw></destination></opt1>

@morbus:

I tested the failover yesterday and it all worked fine except that the CARP copying (XML-RPC I guess) didnt copy the 'Failover IPSEC IP' to the slave so the slave was trying to use its own IP and the remote end was using the CARP one. I just had to fill in the 'Failover IPSEC IP' on the slave and it worked fine

Yep.  Sorry, I forgot that step.  Glad that it is working now.

@J.Borg:

@hoba:

Guess because it's a gif/ipsec tunnel?

You can run it with one tunnel like 192.168.200.0/24 <-> 192.168.0.0/16. Ask the admin of the other box to change his tunneldefinition this way and change it at your end and you should be fine.

Thank you, after I edited spdadd as per your advice things start to look better now (have not edited gif on FreeBSD client 1 side however). I can reach Client 2 phone system. Some more work is needed…

dear all

I want to make connection between pfSense and FreeBSD 6.2RC vis IPSec

But no works. could any one establish successfully?

I am using OpenVPN for now because I have two DHCP endpoints.

@moffl:

for your info.

Don't know what i am missing

Tried it no go. just set up a ipsec tunnel on 2 different computers over a completely different network and it is responding exactly the same can't receive email, can not download files, cannot remote. it may be my imagineation running away right now but it seems when you first start email program or download their is the first initial indtall then stops hope this helps

Are you sure routing is setup correctly back and forth? Besides that it somehow sounds like a mtu issue. Lower mtu's at both WANs (m0n0 and pfSense) to 1300. If that helps raise the values step by step until it breaks again and go back one step. I had a m0n0-pfSense tunnel from work to home for several month and was able to use my outlook at home connecting to the exchange server at the office without issues.

Oh, wait… "Routes are in place"??? You don't need static routes. Only setup the tunnels. The routing is determined by the local and remote LAN of the tunneldefinition.

It is my understanding that we support everything that the freebsd kernel + racoon supports.  Feel free to supply diff's in unified format if this is not the case.

I have not seen a netopia vpn configuration screen yet but if you paste some screenshots I might be able to help you. Some vendors call some options different or break up the oprions into several screens that reference each other. Also logs of a connectionattempt could be useful.

Yepp I got the same problem and have anyone any clue to solve it???

Greetings, Marcel

i can see it on my keyboard, so I use them :-)

What happens if you increase the PFS key group setting to 2 on the second layer.
I had this problem also, renewed the setup several times and now its gone (now using ESP-3DES-SHA1-PFS Key 2).

pfSense has openvpn.  I would imagine this would work fine with the push routes features?  Not sure, I don't even run OpenVPN but don't see why it wouldn't work.