Just a quick one that will hopefully help someone else out. This evening I decided to setup a new IPSec VPN into an Amazon EC2 instance running OpenSwan. After the usual VPN fun I started seeing a strange Phase 2 error on my PFSense configuration:
racoon: ERROR: pfs group mismatched: my:2 peer:0
This was strange as the remote end had PFS disabled for Phase 2 and my PFSense instance did.
After some digging it appears PFSense incorrectly generates the IPSec config file phase 2 entries if you have “Provide the Phase2 PFS group to clients ( overrides all mobile phase2 settings )” enabled. In my case I had this checked and set to 1024-bit (PFS group 2).
To fix the problem uncheck this box and manually set the phase 2 entries for your mobile VPN connection to match. My system then correctly honoured the PFS I’d configured for my new link.
Interestingly this only seemed to effect connections created after my mobile IPSec entries. This definitely seems like a bug in PFSense but hopefully it will help someone else out in the future.