dimmon, looks like your remote gateway and remote lan are on the same network (ie 216.200.x.0/24). Another strange thing is the remote host you want to connect to is a public IP (216.200.x.5) which you could connect to directly without IPSEC. I think your setup should be something like this   local_lan  <-->  local_gw    pfsense  local_public_ip  <--> remote_public_ip  remote_router  remote_gw  <--> remote_lan 10.20.30.0/24      10.20.30.40            ?.?.?.?              216.200.x.1                    x.x.x.x        x.x.x.0/24

I am having a similar issue with an Ubuntu Machine. A Network 10.10.1.0/24 B Network 10.10.2.0/24 C Network 10.10.3.0/24 I have setup an Ipsec VPN tunnel from A - B, and A - C (all pfsense Boxes) I have an Ubuntu Server on A network. An ubuntu machine on B network. When I ping/ssh from the Ubuntu machine on B to A network, i am getting a Host Unreachable/Destination Host Unreachable The Ubuntu machine can resolve the host and Ip as is confirmed with a DIG -x command. The Ubuntu machine on B can ping the local pfsense router and anything local or internet based. But it cant ping anything on the A network including the A router. All other devices have no issue. Just this one ubuntu machine. I have no issue with connectivity between the A and C networks. If I run this command on the Ubuntu machine in B network sysctl -w net.ipv4.ip_forward=1 I can ping/ssh from A <-> B.  The ubuntu machine has one NIC and two additional for a TAP monitoring system so they are set to eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx           inet addr:xx.xx.xx.xx  Bcast:xx.xx.xx.255  Mask:255.255.255.0           inet6 addr: xxxx::xxx:xxxx:xxxx:xxxx/64 Scope:Link           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1           RX packets:750659 errors:0 dropped:0 overruns:0 frame:0           TX packets:460220 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:1000           RX bytes:122675477 (122.6 MB)  TX bytes:409259079 (409.2 MB)           Interrupt:19 Memory:f0180000-f01a0000 eth1      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx           UP BROADCAST RUNNING NOARP PROMISC MULTICAST  MTU:1500  Metric:1           RX packets:4857110 errors:0 dropped:0 overruns:0 frame:0           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:1000           RX bytes:1017130172 (1.0 GB)  TX bytes:0 (0.0 B)           Interrupt:16 Memory:f0280000-f02a0000 eth2      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx           UP BROADCAST NOARP PROMISC MULTICAST  MTU:1500  Metric:1           RX packets:0 errors:0 dropped:0 overruns:0 frame:0           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:1000           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)           Interrupt:16 Memory:f0300000-f0320000 lo        Link encap:Local Loopback           inet addr:127.0.0.1  Mask:255.0.0.0           inet6 addr: ::1/128 Scope:Host           UP LOOPBACK RUNNING  MTU:16436  Metric:1           RX packets:554233 errors:0 dropped:0 overruns:0 frame:0           TX packets:554233 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:0           RX bytes:783922279 (783.9 MB)  TX bytes:783922279 (783.9 MB) route -n Kernel IP routing table Destination    Gateway        Genmask        Flags Metric Ref    Use Iface 0.0.0.0        xx.xx.xx.xx      0.0.0.0        UG    100    0        0 eth0 xx.xx.xx.0      0.0.0.0        255.255.255.0  U    0      0        0 eth0 169.254.0.0    0.0.0.0        255.255.0.0    U    1000  0        0 eth0 So when the "sysctl -w net.ipv4.ip_forward=1" ping and ssh works but the traceroute doesnt seem as expected. I dont understand how the machine is forwarding when only one NIC has an address? PING xx.xx.xx.xx (xx.xx.xx.xx) 56(84) bytes of data. From xx.xx.xx.xx: icmp_seq=1 Redirect Host(New nexthop: xx.xx.xx.xx) 64 bytes from xx.xx.xx.xx: icmp_req=1 ttl=63 time=46.8 ms traceroute xx.xx.xx.xx  (Traceroute from SO Sensor to SO Server) traceroute to xx.xx.xx.xx (xx.xx.xx.xx), 30 hops max, 60 byte packets 1  xx.xx.xx.xx (xx.xx.xx.xx)  0.545 ms  0.532 ms  0.519 ms 2  * * * 3  * * * 4  * * * 5  * * * 6  * * * 7  * * * 8  * * * 9  * * * 10  * * * 11  * * * 12  * * * 13  * * * 14  * * * 15  * * * 16  * * * 17  * * * 18  * * * 19  * * * 20  * * * 21  * * * 22  * * * 23  * * * 24  * * * 25  * * * 26  * * * 27  * * * 28  * * * 29  * * * 30  * * * There are no Blocks in IPTables and UFW is set to allow the connectivity. If anyone has any suggestions, I would appreciate it as I've tried several things to fix this issue without success.

As per diagram above, I'm connecting from a remote client (192.168.1.0/24) to pfsense, which is on 192.168.0.0/24. The router pfsense is behind is 192.168.0.2. Also, ipsec client will be 192.168.99.0/24. Added a rule on that router (192.168.0.2) for anything 192.168.99.0/24 directs towards pfsense (192.168.0.110). Still, the VPN client(192.168.1.137 or virtually 192.168.99.1) cannot access anything on the other side of the tunnel, nor can a PC on the 192.168.0.0/24 network ping the client. Only concerned about the former though. Looks like it'll be a long weekend…

well, it seems that with openvpn, I dont have this issue.

I've tried with previous version of pFsense and i figure out following: traffic from internal network to outside stop working when I add this static route, which has remote GRE ip address for gateway, to explain it a bit more (ip addresses are not real in following example) WAN on my side 193.2.2.116 (IPSEC) GRE on my side 193.2.2.116 WAN on provider side 89.22.33.233 (IPSEC) GRE on provider side 76.44.33.211 I'm having both ipsec and GRE on same FW, provider does not, so ipsec needs to be established first for GRE to work problem here is that as soon as I enter this static route like 10.20.40.64/27 via 76.44.33.211 (remote GRE) on my pfSense firewall my default GW is not reachable anymore, so DNS queries, ntp, browsing etc … is impossible from internal side. traffic from outside still works, ipsec and GRE are up, but's it's really annoying, I can't even update my windows server behind pfSense, any ideas, anyone?

No ideas?  I just need some pointers on what to check.  So far I've come up empty.

It seems to be related to: https://redmine.pfsense.org/issues/3321

Hi, I have found the SOLUTION to the problem. It was the Failover configuration on System> Routing> Groups tab. I remove entries there temporarily as I'm only at a lab environment. I found the log using the following commands: #clog /var/log/system.log |grep php

Installing ShrewSoft VPN Client again seems to have solved the problem. No idea what happened.

Does anybody have an idea? Last week we reinstalled the pfsense with the backup of the current configuration. We have still this problem. Is there another way to check the racoon configuration? Best regards, Trexman

check phase 2 in side A

Hi Midnight_Shadow, Thanks for Reply. I succeed establish NAT before IPSec on Both sides without problem.  :D The problem was on my IPCOP on Site B. My firewall established connection on SonicWall using Nat Over Ipsec. If anyone need more information, let me know.

I've seen similar errors when there is a mismatch on negotiation mode (aggressive and main) Check your settings and if everything is correct on both sides try rwalker's suggestion and recreate the tunnel.