maybe your lifetimes are a bit messed up or the re try setting the lifetime of the phase1 to 86400 seconds (=24h). then set the lifetime of the phase2 to 43200seconds (=12h). next time the tunnel goes down, then we can easier figure out if its a phase1 or 2 problem. to make it automatically reconnect, you can also check if dead peer detection in phase1 is enabled. if the tunnel is down, can you check if the phase1 or only phase2 is down?

I have the exact same problem. I can't acces my other vlans through the mobile client connection from my laptop. I tried with various firewall rules with no success. Any pfSense vlan masters here? :)

@JJA: I'll upgrade later because it's a sensitive firewall. Or you can upgrade it now, because that version is 5 years old and we have fixed thousands of bugs and some critical security issues since then. Nothing is so "sensitive" that it warrants ignoring security updates for 5 years. If it's that mission-critical, it should be running HA and then you can upgrade without downtime. @JJA: Is it possible to NAT on IPSEC with PfSense 2.0.2 ? No. It was a new feature in 2.1.

Thanks for clearing that up! I sent the client a link to this thread which I hope they share with the Cisco person.

Not with IPsec or LDAP. There isn't any way for the firewall to determine which user to associate with a given set of rules. If you used RADIUS with IPsec, you could allocate each user a static IP address and then use rules/aliases to accomplish the task. If you used OpenVPN, you could have each set of users connect to a distinct VPN port with different sets of CA/Cert structures depending on the access level – or you could have everyone connect to the same one but allocate static addresses and filter that way.

someone got a hint on this? [image: network.png] [image: network.png_thumb]

Just to answer my own question: I abandoned the plan to do this via IPsec. I now used OpenVPN and it works: define site-to-site connections to your offices and a roadwarrior setup for your mobile devices.

Iam not 100% sure how your setup are configured but you must be close if you can ping stuff. Try play with the iperf between ipsec client and lan pc and see how that works out. Maybe its an MTU fragmentation issue you are seeing and clamping the ipsec packets to something like 1450 with MSS clamping in the ipsec advanced tab could help. Use the firewall and ipsec log and try to figure out why packets are not showing up in the package capture. PS Just tested with my example setup and a http web server on the lan pc. And the client can without problem load it.

I'm resurrecting this old thread because we've stumbled upon an identical situation (i.e. we need to NAT traffic from OpenVPN clients directed to a remote IPSec network). As far as I can tell nothing has changed up to and including pfSense 2.4.x: can anyone confirm that it still is not possible in any way to NAT traffic coming in from OpenVPN clients with destination on a remote IPSec network? (please do note that I cannot add another IPSec P2 to IPSec for the OpenVPN subnet) thank you all.

All, After much playing around, this was a Windows 10 VPN client configuration issue. In Settings -> Network & Internet -> VPN, click on the VPN connection, then click on Advanced Settings and change VPN Proxy Settings from "automatic" to "none" Hopefully this helps some other folks. Thanks. James

NM, added a floating firewall rule from LAN to remote network and added to tp-of-list and working fine now. Thanks

Known issue: https://redmine.pfsense.org/issues/8003 https://redmine.pfsense.org/issues/7856 https://redmine.pfsense.org/issues/6335

Found it in /etc/pfSense-rc.

Oh, that's too bad. At least there's that yet to give me hope. Thanks!