I kind of had the same issue with similar setup Until now I had an IPSec tunnel configured to listen to interface "WAN_A" which was the only one available. We added more connection (multi-WAN) and WAN_A is not the "Default gateway" anymore. By looking at client-side tcpdumps and pfSense logs I can tell the client can send traffic to pfSense (show on IPSec logs) but never receives anything back (confirmed by IPSec logs: "racoon: [CLIENT_IP] INFO: DPD: remote (ISAKMP-SA spi=58…:71...) seems to be dead."). In the future I might add more IPSec tunnel and they might not all listen to interface/gateway "WAN_A". jimp, suggested to: Use "LAN" as Interface for tunnel(s) Set any desired identifier: I used "Distinguished name" setting and typed a pseudo domain name: vpn1.mycompany.com Add NAT rules so that traffic incoming from WAN_A (and any other desired gateway) on ports ISAKMP (udp/500), ESP (ip/50) and NAT-T (udp/4500) goes to pfSense's LAN inteface IP: You have to manually type it there (can't select "LAN address") Apply rules and restart IPSec service I can confirm this works just fine: the same tunnel can now be contacted from any gateway (use NAT or firewall rules to filter out).

Finally got it resolved. It was being caused by a dodgy network card. Replaced the card and all is good now

@dotdash: You should be able to go to VPN, IPSec, edit the primary connection and check the box to disable the phase1. If the backup connection is disabled, enable it. The last time I played with AWS, which was a while ago, you could have both connections active and setup BGP, but it would not failover automatically due to the tunnel trumping the routing table. This worked perfectly, and the fialover worked flawlessly, to boot!  Thanks for the assist and the peace of mind it has brought!

Some more information: This is not related to Racoon. I have enabled SSH for remote access, and I see exactly the same. The packets come in on the correct interface, but the replies go out on the interface with the default route, although the source address is the correct one (of the interface they came in to). If I manually add a route to the remote destination via the correct (non-default) gateway, then the replies go out on the correct interface. The conclusion is that the system does not reply via the same interface that the packet came through. Routed packets are processed just fine - the reply goes back on the correct interface, the one that has originally received the packet. Only local PFSENSE services are affected.

On 2.2 strongswan can handle that, but we don't have options in the GUI to do it. It's capable of pulling an IP and supporting various Cisco Unity features when acting as a client. Not sure if/when that might ever show up, it's not a very common requirement.

Changed tunnel back to openVPN, same problem, but only on this single computer… Changed to another network card - works, at least with openVPN, not willing to switch back to IPsec at that time... :o

@cmb: ipsec-tools is gone from 2.2, so I would recommend testing the situation there (now using strongswan), and if there is any similar issue, bring it up on the 2.2 board here. I don't believe that's an issue there, but confirmation would be good. I see no banner in 2.2, whether 'login banner' is ticked or not (shrewsoft client, banner did appear under 2.1).  Haven't looked into details yet.

@cmb: If the described route is there, it should go out the tunnel as that'll determine its source IP selection. I don't recall anything with DHCP relay that's any different. The ICMP redirect you're describing would not happen with the described route. It does cause an ICMP redirect to be sent, but it's one that tells the client "to reach the remote IPsec network, hit my LAN IP", which is what they're doing anyway so it effectively does nothing. You can disable the ICMP redirects under System>Advanced, Tuning, if you don't need or want them in general. But that description makes it sound like the route wasn't right to begin with. Yeah, it did seem weird to me, so I checked it several times, and had a colleague check it for me as well just in case someone spiked something I drank, but the route was fine and that's the redirect the host got. In either case, installing the FreeBSD package mentioned in this post it worked without the route. The only difference I see between the two of them network wise is that the "unofficial" relay binds to a specific address as well as the interface, while the included daemon binds to * on the selected interface.

When checked, the server takes the list of networks on the mobile Phase 2 and sends them to the client as a "net list" or "split network" list, so that only the networks provided will be sent across the tunnel and others go to the Internet directly, rather than tunneling everything. It's up to the client to obey that setting. Some don't support it at all and always require a manual list, others respect it, others ignore it on purpose and send everything no matter what you do.

OK, it looks like the problem was with the COX router.  We where getting routed to a level 3 network that, was throttling our traffic.  The new path is still throttling our traffic but at only at ~20, which is enough to do our replication in about 8 to 10 hours, which meets our business requirement.  It would be nice if we could get the full 50, but it's not as high a priority now. That e-mail about the service level guarantees got the ball rolling again.  Thanks for the help.  

Just to let you know… after tinkering with rules and testing, I just came up with this: One rule, Lan to IPSec Subnet in the LAN tab. The other rule, any to any in the IPSec tab. and I just got the DHCP ip helper address working...so I'm using my DHCP server. :D.

First guess, wrong subnet mask on the affected hosts (/16 instead of /24, so it thinks the remote network is local).

The general purpose network availability monitoring system you use to monitor servers, switches, routers, firewalls, etc. A ping to the remote end would suffice.

Hi Mykey, Did you connect pfsense 2 your ISP using L2TP?

On my (retired, now openVPN) IPsec tunnels I had: My identifier: My IP address Peer identifier: Peer IP address …and some higher encryption as the main difference to your setup for phase 1, on first glance

THIS thread also has problems with IPSec and CARP. Likely the issue is related.

That seems like a routing issue. The IPsec tunnel will probably not know where the 10.0.0.0/8 network is, and so it can't send any traffic there. You will probably need to add another phase 2 setting to propagate 10.0.0.0/8

Check your settings again. The ZyWall and the pfSense are compatible, I have a tunnel working.