Ok, so those are both pfSense hosts at either end. Does the tunnel establish between the two hosts? @AYSMAN: SITE A PHASE 2 Mode:                                Tunnel IPV4 Local Network:                  LAN Subnet Remote Network:              192.168.235.0/24 (Local Network of SITE B) Protocol:                            ESP Encryption Algorithm:      3DES Hash Algorithm:                SHA1 PFS Key Group:                2(1024Bit) Lifetime                            3600 […snipped...] SITE B PHASE 2 Mode:                                Tunnel IPV4 Local Network:                  LAN Subnet Remote Network:              192.168.235.0/24 (Local Network of SITE A) Protocol:                            ESP Encryption Algorithm:      3DES Hash Algorithm:                SHA1 PFS Key Group:                2(1024Bit) Lifetime                            3600 In your information, the subnet information in both phase2 sections is identical.  That will not work. In order to create traffic that will establish and/or traverse your IPSec tunnel… From the webui: Status > IPSec > Click the button to establish the tunnel OR Diagnostics > Ping > Change interface to LAN From the shell: ping -S <local_lan_ip><remote_lan_ip>That command above is sourcing packets from the LAN IP you specify (so it is sent across the tunnel) and sending it to the remote LAN.</remote_lan_ip></local_lan_ip>

Look at the usage of NAT onto ipsec on 2.1 that will help with your problem.

Well support for cisco style radius attributes is there. For active directory attirbutes is not there presently so i do not think you can do that with pfsense unless you use IAS.

I give up untill someone comes with something to try, I can't figure it out ….  :'(

I figured it out. Thanks for the help…..

In the current implementation, no. If you want multiple separate security levels for mobile users, you'll need OpenVPN

Here you go: [2.1-RELEASE][admin@sipsense.localdomain]/root(3): grep esp /tmp/rules.debug pass  in  quick  on $WAN reply-to ( rl1 24.118.172.1 ) inet proto esp  from 63.238.x.x to any keep state  label "USER_RULE: Allow ESP from XRD ASA" pass out on $WAN  route-to ( rl1 24.118.172.1 )  proto esp from any to 63.238.x.x keep state label "IPsec: XRD ASA - outbound esp proto" pass in on $WAN  reply-to ( rl1 24.118.172.1 )  proto esp from 63.238.x.x to any keep state label "IPsec: XRD ASA - inbound esp proto"

@mrcola: I have two PfSense/Monowall connected using IPSec VPN. I am wondering if I can use remote gateway as the default gateway site A LAN 192.168.50.0/24, default gateway 192.168.50.1, WAN example1.com site B LAN 192.168.60.0/24, default gateway 192.168.60.1, WAN example2.com site A's machines can access 192.168.60.0/24 and vice versa Is it possible for me to set default gateway on some of the site A's machines to 192.168.60.1 Thanks and Regards RW Hi RW, If you set a "local" user to the gateway on the "remote" network you may loose the ability to talk on the network. Are you attempting to force some clients to route out of the remote network while still having some local clients rout out of their local network? If so, just wondering.. What do you intend to achieve from this? -E

@Meezy: Hi, I installed and configured Pfsense with a VPN tunnel between two site. I use IPsec, it correctly fontionne for several months .. But in recent weeks, I have concerns .. VPN pass off twice a day. And I have to force a restart racoon service for it working again. I have some log: racoon: ERROR: pfkey UPDATE failed: Invalid argument racoon: ERROR: such policy already exists. anyway replace it: xxx.xxx.xxx.xxx[0] xxx.xxx.xxx.xxx[0] proto=any dir=in racoon: INFO: unsupported racoon: INFO: received broken Microsoft ID: FRAGMENTATION racoon: INFO: begin Aggressive mode. racoon: [Self]: INFO: respond new phase 1 negotiation: [xxx.xxx.xxx.xxx][500]<=>[xxx.xxx.xxx.xxx][500] racoon: [xxx.xxx.xxx.xxx] ERROR: phase1 negotiation failed. racoon: [xxx.xxx.xxx.xxx] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1). racoon: [xxx.xxx.xxx.xxx] ERROR: failed to get valid proposal. racoon: ERROR: no suitable proposal found. racoon: [xxx.xxx.xxx.xxx] INFO: Selected NAT-T version: RFC 3947 Hi Meezy, Double check your settings on both sides of the tunnel for lifetime. Also make sure both sides are set in phase 1 for either Main or Aggressive. I have had something similar like this happen where as long as one site would initiate a tunnel would still work even if there was a mismatch of Main/Aggressive. -E

And now after 2 days that same server only has 2 tunnels up. Is there perhaps some timeout setting for an Ipsec tunnel or some routine which should automatically try bring the tunnel back up if it drops off?

Perhaps ipsec+SPD is broke.  I have tried every way to target a specific port, and no workey.  Plus, pfsense forces gloves on to do any low level stuff, using the xml to rewrite the rules on racoon restart. Rapidly losing faith in pfsense…

What does your system log show at the time that happens?