I'm in the same boat. PC with Cisco VPN client, configured for Group Auth, Tunneling IPSEC over UDP. I'm unable to get the desktop client to work behind the PFSENSE box (tried 1.01 and todays CVS). If I put the VPN client in FRONT of the box, IE on the public IP, works first time, like a charm. Dialup, works find. Sprint Wireless Modem, works fine. Behind the PFSENSE box, no work. I've tried NAT/Port forwarding, TCP/UDP 500, TCP/UDP 10000, ESP, etc. No work. I'd be happy with EITHER the VPN client working, or the PFSense box establishing the connection. Either would serve what I  need to accomplish. HELP!

or use the vpn ptpp server on youre pfsense server and the ptpp client on youre pc's

OpenVPN would be nice. Stupid sonicwalls. Are there any open source firewalls that will do dynamic ipsec endpoints?

@decibel83: racoon: ERROR: such policy does not already exist: "192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=out" This is usually only a debug message that can be ignored. If it works one way the tunnel should be up fine. Does the netgear support some filtering for the vpn traffic? Maybe you need to create a rule to allow traffic? The pfSense currently can't filter VPN traffic so it can't be an issue on the pfSense end of the connection. Are you trying to ping from behind the netgear or from the netgear itself? Usually devices encapsulating the connection can't use it directly without adding a fake static route or pinging from their LAN IP.

try "Prefer old IPsec SAs  " from system>advanced and see if this has a positive effect on reestablishing the link.

fixed my problem with my sonicwall tz170 & pfsense.. on the pfsense side of the tunnel, when I was entering in the remote subnet, I left the subnet class with the default of 32, when it should have been 24.  When I changed that everything worked like it should!    Imagine that..

Cool  :D

Currently you need at least one static IP to create IPSEC Tunnels (have a look at http://pfsense.com/mirror.php?section=tutorials/mobile_ipsec/ ).

OK, thank you very much! I will try and I rewrite you if I will have some problem…

I reinstalled all system and now its works. I think that's a bug.

Since there are so many views of this topic I post what finally worked for me and might help others. Maybe Hoba adds it to his tutorial… both sides: RULE: AH          *        *        WAN address              *      *          AH for IPsec RULE: ESP        *        *        WAN address              *      *          ESP for IPsec RULE: UDP        *        *        WAN address              500    *          UDP500 for IPsec If you use the settings from pfSense (which is ESP as Phase 2 protocol), you don't need the AH rule. Do not use any NAT rules, this is not necessary and NAT-traversal (NAT-T) of IPsec is a task on its own. This usually would require UDP4500 and other things I am not familiar with. Have a look here:  http://en.wikipedia.org/wiki/NAT_traversal

Have a look at the free IPSEC clients mentioned here: http://forum.pfsense.org/index.php/topic,2009.msg11516.html#msg11516 For OpenVPN have a look at these GUI clients: http://openvpn.se/ http://openvpn.net/gui.html

I put seconds instead the IP… Now works ! thanks very much. Giacomo

IPSEC issue.  Research aggressive mode + dynamic dns domain names.

Add a firewall rule like this at the loadbalancing pfSense (top of the firewallrules): pass, protocol any, source lan subnet, destination network 10.0.0.0/24, gateway default This will fix it.

I found a solution to my problem, I do not think it is a good solution but it works good for the moment. on the pfsense (1.0.1) I just activated the "Enable advanced outbound NAT".

Thear hoba: Plz need help, cant resolve this problem.I will become crazy My config is the next. LAN       |   (PfSense 1)   |              | ISP1 (WAN)    ISP2 (OPT-WAN)   |              |   |              | (  Internet )       |          |          ISP3       |          |        pfSense2 (waiting for mobile clients)       |       LAN Both pfsense have static ip. pfsense-1 have load-balancer & squid The tunnel is stablish with ISP1 and ISP3 using in pfsense3 mobile clients. At less ISP1 is down then Switch to ISP2 The nexts problem happend when ISP1 is down: A) I change manually the IPSEC VPN Start Point to ISP2, (Now Tunnel is between ISP2 and                ISP), but not connection is stablish at less add the next static route :                        <opt1>      <destination 32="" end="" point="">      <opt1-gw>B) PFSENSE Can't resolve DNS at less add the next statis route:                       <opt1>      <destination 32="" dns="" server="">      <opt1-gw>C) Squid (Running in pfsense 1) don't work any form. Problems A & B resolve with staric route, C can't but when ISP1 is up again, i need change again the IPSEC VPN Start Point (because isp1 is better)  and delete all static route. The really problem is write and delete a static continuously with time I criticize of production that this uses. My Idea is only change the ISP START POINT MANUALLY (ONLY CHANGE COMBO IN IPS-VPN) and all work fine. It is there possible? Is not, know u other solution. Any solution for squid when WAN is DOWN?</opt1-gw></destination></opt1></opt1-gw></destination></opt1>

@morbus: I tested the failover yesterday and it all worked fine except that the CARP copying (XML-RPC I guess) didnt copy the 'Failover IPSEC IP' to the slave so the slave was trying to use its own IP and the remote end was using the CARP one. I just had to fill in the 'Failover IPSEC IP' on the slave and it worked fine Yep.  Sorry, I forgot that step.  Glad that it is working now.

@J.Borg: @hoba: Guess because it's a gif/ipsec tunnel? You can run it with one tunnel like 192.168.200.0/24 <-> 192.168.0.0/16. Ask the admin of the other box to change his tunneldefinition this way and change it at your end and you should be fine. Thank you, after I edited spdadd as per your advice things start to look better now (have not edited gif on FreeBSD client 1 side however). I can reach Client 2 phone system. Some more work is needed… dear all I want to make connection between pfSense and FreeBSD 6.2RC vis IPSec But no works. could any one establish successfully?

I am using OpenVPN for now because I have two DHCP endpoints.