Well there seems to be some intermittent issue with phase two on this tunnel.  Logs are below.  The only thing I can think of is that the lifetime doesn't match correctly because I see a new phase 2 negotiation from them every two minutes when they are connected.  It sounded like they specify their lifetimes in hours instead of seconds and their lifetime is set to 2 hours, I've got my end configured at 7200s.  Not sure how pf is seeing that during the negotiation, are there any more detailed logs I can look to see any additional details? racoon: INFO: purged ISAKMP-SA spi=9564dbd685564852:333386a2d2c623da. Mar 23 10:18:44 racoon: INFO: purging ISAKMP-SA spi=9564dbd685564852:333386a2d2c623da. Mar 23 10:18:44 racoon: INFO: respond new phase 2 negotiation: me.me.me.me[500]<=>them.them.them.them[500] Mar 23 10:18:44 racoon: INFO: ISAKMP-SA established me.me.me.me[500]-them.them.them.them[500] spi:9564dbd685564852:333386a2d2c623da Mar 23 10:18:44 racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1. Mar 23 10:18:43 racoon: INFO: begin Identity Protection mode. Mar 23 10:18:43 racoon: INFO: respond new phase 1 negotiation: me.me.me.me[500]<=>them.them.them.them[500] Mar 23 10:18:29 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument

Yes, perfect. Thanks.

May i ask you if this is correct? Client (MTU 1500) -> LAN (MTU 1500) -> IPSEC -> WAN (MTU 1300) -> INET <- WAN (MTU 1300) <- IPSEC <- LAN (MTU 1500) <- Client (MTU 1500)

Ok this is what I have now WAN->LAN ESP  *  *  qOthersDownH/qOthersUpH  m_Other IPSEC inbound            WAN->LAN UDP  *  * Port: 500  qOthersDownH/qOthersUpH  m_Other IPSEC inbound            LAN->WAN UDP  *  * Port: 500  qOthersUpH/qOthersDownH  m_Other IPSEC outbound            LAN->WAN AH  *  *  qOthersUpH/qOthersDownH  m_Other IPSEC outbound            LAN->WAN ESP  *  *  qOthersUpH/qOthersDownH  m_Other IPSEC outbound            WAN->LAN AH  *  *  qOthersDownH/qOthersUpH  m_Other IPSEC inbound

Ony CARP can be used by the firewallitself to run services on. ProxyARP and Other ony can be forwarded. Change this IP to CARP and use the CARP IP as ipsec failover IP. Then it should work.

Sounds like lifetime mismatches. Either way, check Prefer old IPsec SAs in System -> Advanced

Ok, thanks  ;D

No, one of the sites has to be static at least.

Does it use mainmode? If yes try using agressive. Maybe you get more options then.

I downloaded one from earlier today.  It's fixed.

Feb 28 14:23:21 racoon: ERROR: malformed cookie received. The checkpoint seems to send something strange. Revisit all parameters and check if they are abolutely identical. Maybe try using mainmode instead of aggressive.

hmm.. still no luck for me =( I increased the debugging in racoon and got a couple of more messages. Feb 26 15:27:15 racoon: DEBUG: compute IV for phase2 Feb 26 15:27:15 racoon: DEBUG: phase1 last IV: Feb 26 15:27:15 racoon: DEBUG: 4b27456a 80e0fb18 7776ecb0 Feb 26 15:27:15 racoon: DEBUG: hash(md5) Feb 26 15:27:15 racoon: DEBUG: encryption(des) Feb 26 15:27:15 racoon: DEBUG: phase2 IV computed: Feb 26 15:27:15 racoon: DEBUG: 3b4841e3 df96bfd9 Feb 26 15:27:15 racoon: DEBUG: begin decryption. Feb 26 15:27:15 racoon: DEBUG: encryption(des) Feb 26 15:27:15 racoon: DEBUG: IV was saved for next processing: Feb 26 15:27:15 racoon: DEBUG: df27599a 375cddd2 Feb 26 15:27:15 racoon: DEBUG: encryption(des) Feb 26 15:27:15 racoon: DEBUG: with key: Feb 26 15:27:15 racoon: DEBUG: e9eb3b33 990da27c Feb 26 15:27:15 racoon: DEBUG: decrypted payload by IV: Feb 26 15:27:15 racoon: DEBUG: 3b4841e3 df96bfd9 Feb 26 15:27:15 racoon: DEBUG: decrypted payload, but not trimed. Feb 26 15:27:15 racoon: DEBUG: 0b000014 5ab258f3 61fe90e9 40ee109a 9bccc248 000001c8 00000001 0304000e 0f6aa0b7 0a0001b8 00000001 00000001 00000000 00000000 00000000 00000000 00000000 00000000 00000000 dca20c81 d6c60980 a0e40d81 20297a80 b3677aa5 a0e40d81 00000000 38de0d81 b1a44d2e 00000000 0a000120 0a0001b8 2ca30c81 a8670a80 01000000 a0e40d81 20000000 20297a80 b3677aa5 00000000 a0e40d81 c8020000 2ca30c81 b3677aa5 80a30c81 e4020000 2ba30c81 c02b7a80 00000001 a0e40d81 c8020000 a8a30c00 a8a30c81 609d0a80 8ca30c81 a0e40d81 20297a80 d0277a80 00000000 00000000 a0e40d81 94a30c81 d0277a80 00000000 00000000 8ca30c81 b3677aa5 38de0d81 00000100 f0287a80 82020000 9eb3eebc cf3a48a1 e0020000 a3340080 f02c6d80 294db8c8 0eed7940 2aff7afe 6fec3335 08102001 a57a67b3 e0020000 eca30c81 bcfa0880 d0277a80 543779f2 d4f75f51 68894780 00000000 00000000 00000000 68894780 f4013412 543779f2 7564702f 302f3530 30003412 78563412 78563412 f8a30c81 9b270080 00000000 00000000 00000000 9cf90880 00000000 cccccccc 89000000 00000000 edfead Feb 26 15:27:15 racoon: DEBUG: padding len=1 Feb 26 15:27:15 racoon: DEBUG: skip to trim padding. Feb 26 15:27:15 racoon: DEBUG: decrypted. Feb 26 15:27:15 racoon: DEBUG: 294db8c8 0eed7940 2aff7afe 6fec3335 08100501 7776ecb0 000001fc 0b000014 5ab258f3 61fe90e9 40ee109a 9bccc248 000001c8 00000001 0304000e 0f6aa0b7 0a0001b8 00000001 00000001 00000000 00000000 00000000 00000000 00000000 00000000 00000000 dca20c81 d6c60980 a0e40d81 20297a80 b3677aa5 a0e40d81 00000000 38de0d81 b1a44d2e 00000000 0a000120 0a0001b8 2ca30c81 a8670a80 01000000 a0e40d81 20000000 20297a80 b3677aa5 00000000 a0e40d81 c8020000 2ca30c81 b3677aa5 80a30c81 e4020000 2ba30c81 c02b7a80 00000001 a0e40d81 c8020000 a8a30c00 a8a30c81 609d0a80 8ca30c81 a0e40d81 20297a80 d0277a80 00000000 00000000 a0e40d81 94a30c81 d0277a80 00000000 00000000 8ca30c81 b3677aa5 38de0d81 00000100 f0287a80 82020000 9eb3eebc cf3a48a1 e0020000 a3340080 f02c6d80 294db8c8 0eed7940 2aff7afe 6fec3335 08102001 a57a67b3 e0020000 eca30c81 bcfa0880 d0277a80 543779f2 d4f75f51 68894780 00000000 00000000 00000000 68894780 f4013412 543779f2 7564702f 302f3530 30003412 78563412 78563412 f8a30c81 9b270080 00000000 000000 Feb 26 15:27:15 racoon: DEBUG: HASH with: Feb 26 15:27:15 racoon: DEBUG: 7776ecb0 000001c8 00000001 0304000e 0f6aa0b7 0a0001b8 00000001 00000001 00000000 00000000 00000000 00000000 00000000 00000000 00000000 dca20c81 d6c60980 a0e40d81 20297a80 b3677aa5 a0e40d81 00000000 38de0d81 b1a44d2e 00000000 0a000120 0a0001b8 2ca30c81 a8670a80 01000000 a0e40d81 20000000 20297a80 b3677aa5 00000000 a0e40d81 c8020000 2ca30c81 b3677aa5 80a30c81 e4020000 2ba30c81 c02b7a80 00000001 a0e40d81 c8020000 a8a30c00 a8a30c81 609d0a80 8ca30c81 a0e40d81 20297a80 d0277a80 00000000 00000000 a0e40d81 94a30c81 d0277a80 00000000 00000000 8ca30c81 b3677aa5 38de0d81 00000100 f0287a80 82020000 9eb3eebc cf3a48a1 e0020000 a3340080 f02c6d80 294db8c8 0eed7940 2aff7afe 6fec3335 08102001 a57a67b3 e0020000 eca30c81 bcfa0880 d0277a80 543779f2 d4f75f51 68894780 00000000 00000000 00000000 68894780 f4013412 543779f2 7564702f 302f3530 30003412 78563412 78563412 f8a30c81 9b270080 00000000 00000000 00000000 9cf90880 00000000 cccccccc 89000000 00000000 edfeadde 00000000 00000000 00000000 000000 Feb 26 15:27:15 racoon: DEBUG: hmac(hmac_md5) Feb 26 15:27:15 racoon: DEBUG: HASH computed: Feb 26 15:27:15 racoon: DEBUG: 5ab258f3 61fe90e9 40ee109a 9bccc248 Feb 26 15:27:15 racoon: DEBUG: hash validated. Feb 26 15:27:15 racoon: DEBUG: begin. Feb 26 15:27:15 racoon: DEBUG: seen nptype=8(hash) Feb 26 15:27:15 racoon: DEBUG: seen nptype=11(notify) Feb 26 15:27:15 racoon: DEBUG: succeed. Feb 26 15:27:15 racoon: ERROR: unknown notify message, no phase2 handle found. Feb 26 15:27:15 racoon: DEBUG: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=0f6aa0b7(size=4). Feb 26 15:27:25 racoon: DEBUG: 740 bytes from 222.222.222.222[500] to 111.111.111.111[500] Feb 26 15:27:25 racoon: DEBUG: sockname 222.222.222.222[500] Feb 26 15:27:25 racoon: DEBUG: send packet from 222.222.222.222[500] Feb 26 15:27:25 racoon: DEBUG: send packet to 111.111.111.111[500] Feb 26 15:27:25 racoon: DEBUG: 1 times of 740 bytes message will be sent to 111.111.111.111[500] Feb 26 15:27:25 racoon: DEBUG: 294db8c8 0eed7940 2aff7afe 6fec3335 08102001 a57a67b3 000002e4 1c43f877 ebfc8f3a 54065e15 07abf452 315cffa4 887305ce b6f5c26f c1a0cd31 61a1721b bc0df24e ce094267 5fc3c94a d1554af7 bd7087cf 945d88d9 fc0ee6fd 1647309b fb523882 ab1ea7af 2d7a3d89 578e3b14 1e097dfe 58db7db8 e788ea5b ab0438d1 a94792e5 addc4f21 eaab621a bdf8f5db 25ce6b85 085520f4 edd574d8 38804f11 e9565456 494f7844 2ff5e40d 9ec47e4b 0a24a4a1 974a1e2a f05c276e 8476bee5 beb74b78 c0fe1968 e8ee9315 d4ea2689 1961753d 8a7fb164 fb0ba8ee ad731045 35d22219 f31ad580 2f31739b 6a0b6c69 01faedfb 8141c308 f3957813 2a3dc623 7b3c8e7e 4bcb0230 681e260a 5c70de6c d46b361a 4be14556 0eab9e41 40987ca1 ed2d60c2 1b360fe0 47dcc708 c3ade704 c0a2ba5e d04895d5 c536529b 237a3589 3f1782a0 24ae286c f3866414 4dc69996 81099725 e1f2dc59 0e7e2fda 36b69512 e9b99ce2 0393acda c01e44b8 973cdd32 4e54c7fa 8fb66d56 146ca3db 3328274c f8ad8c6e e2726432 539f9d66 dd17f50d a7f53c87 40821ac1 a8366425 e42244bc 84d54a12 318c99e3 4ee0b715 a59abb41 a950181d 89e358 Feb 26 15:27:25 racoon: DEBUG: resend phase2 packet 294db8c80eed7940:2aff7afe6fec3335:0000a57a Feb 26 15:27:35 racoon: DEBUG: 740 bytes from 222.222.222.222[500] to 111.111.111.111[500] Feb 26 15:27:35 racoon: DEBUG: sockname 222.222.222.222[500] Feb 26 15:27:35 racoon: DEBUG: send packet from 222.222.222.222[500] Feb 26 15:27:35 racoon: DEBUG: send packet to 111.111.111.111[500] Feb 26 15:27:35 racoon: DEBUG: 1 times of 740 bytes message will be sent to 111.111.111.111[500] Feb 26 15:27:35 racoon: DEBUG: 294db8c8 0eed7940 2aff7afe 6fec3335 08102001 a57a67b3 000002e4 1c43f877 ebfc8f3a 54065e15 07abf452 315cffa4 887305ce b6f5c26f c1a0cd31 61a1721b bc0df24e ce094267 5fc3c94a d1554af7 bd7087cf 945d88d9 fc0ee6fd 1647309b fb523882 ab1ea7af 2d7a3d89 578e3b14 1e097dfe 58db7db8 e788ea5b ab0438d1 a94792e5 addc4f21 eaab621a bdf8f5db 25ce6b85 085520f4 edd574d8 38804f11 e9565456 494f7844 2ff5e40d 9ec47e4b 0a24a4a1 974a1e2a f05c276e 8476bee5 beb74b78 c0fe1968 e8ee9315 d4ea2689 1961753d 8a7fb164 fb0ba8ee ad731045 35d22219 f31ad580 2f31739b 6a0b6c69 01faedfb 8141c308 f3957813 2a3dc623 7b3c8e7e 4bcb0230 681e260a 5c70de6c d46b361a 4be14556 0eab9e41 40987ca1 ed2d60c2 1b360fe0 47dcc708 c3ade704 c0a2ba5e d04895d5 c536529b 237a3589 3f1782a0 24ae286c f3866414 4dc69996 81099725 e1f2dc59 0e7e2fda 36b69512 e9b99ce2 0393acda c01e44b8 973cdd32 4e54c7fa 8fb66d56 146ca3db 3328274c f8ad8c6e e2726432 539f9d66 dd17f50d a7f53c87 40821ac1 a8366425 e42244bc 84d54a12 318c99e3 4ee0b715 a59abb41 a950181d 89e358 Feb 26 15:27:35 racoon: DEBUG: resend phase2 packet 294db8c80eed7940:2aff7afe6fec3335:0000a57a Feb 26 15:27:45 racoon: ERROR: 111.111.111.111 give up to get IPsec-SA due to time up to wait. Feb 26 15:27:45 racoon: DEBUG: an undead schedule has been deleted. It seems like some packet wont get sent. Anyone?

There is nothing like real life testing but I have a feeling that this machine should do the job.

@maynarja: I am looking into this configuration and will post the results. If anyone has a comment please post. PIX Config access-list IPSEC_21 permit ip 0.0.0.0 0.0.0.0 10.2.2.0 255.255.255.0 same-security-traffic permit intra-interface pfSense remote 0.0.0.0 0.0.0.0 remote gw [staticPublicIP] use 0.0.0.0 0.0.0.0 to force all traffic through the tunnel? use "same-security-traffic permit intra-interface" to allow all traffic to return out the same interface it is recieved? i had a configuration same as this running on pfsense a yer or so ago for a test works fine. had the modify the config.xml file to add the 0.0.0.0 into the remote area but all was fine on reboot

so on the side 10.255.0.x tell it that the remote subnet site is /8 and on the 10.x.x.x side tell it that the remote subnet is /24 wont work?

Good guess  ;D

unless you run one of the latest snapshots pfSense doesn't support IPSEC-filtering (this was added some days ago to the latest snapshots). As you mention that it works with other clients I doubt that the problem is at the pfSense end.

Thank you! Wonder if there is an option for the generate policy deep inside pfsense =0