IPSec Mobile clients wont establish - ALIX 2 units

  • Hi guys,

    First time poster and user of the pfsense system. I have been able to establish a static to static IPSec vpn and ping a device through the VPN but now when attempting to test Mobile client ipsec vpns I cannot get it to establish.

    I followed the guide from http://pfsense.mirror.range-id.it/tutorials/mobile_ipsec/ on how to get the mobile ipsec setup. On the static end I enabled IPSec vpn's. Then also setup preshared keys for User FQDN settings and the mobile client ipsec settings. On the remote client I set the identification to User FQDN and used the same preshared key that was defined on the static client. Both ends had the same lifetime settings and all the same encryption settings.

    Below is the line in the SAD IPSec status screen on the mobile pfsense box. On the Overview screen it displays a yellow X at the end to show it hasn't properly established.

    Source       Destination  Protocol  SPI          Enc. alg.  Auth. alg.   ESP        0d59e1f4  replay=0  pid=33739.

    Any help would be greatly appreciated.

    [EDIT] Thought I would attempt to further clarify my setup and what I was doing. I have been trying to test these devices before they go in tomorrow  ::) . I have the mobile client management page set to and its WAN IP set to I have what will be the static client setup as on its LAN port and for its WAN port.

    On the static client I have setup an IPSEC rule to allow all traffic on any protocol and turned on the option for Allow mobile clients in the IPSec settings. I have also entered a id and passphrase for use by the mobile client in its IPSec settings.

    On the mobile client I specified that is the remote end point with the IP subnet of as its remote subnet. I set the same id as a USER FQDN in the identifier for the remote client and also the same passphrase. Using 3DES and SHA1 for both phases of the IPSec vpn's with Lifetime setting of 3600 seconds on both ends for each phase also. Also made sure there was a rule on the remote endpoint for IPSec traffic to allow.

    Now when attempting to ping the static gateway of from a PC ( w/ a gateway of behind the remote endpoint this is where the the above line for SAD happens.

Log in to reply