@mikee: Then please edit the Subject and mark it as SOLVED for others to be able to benefit from your experience. Thanks. I guess that's something thread starter have to do. His setup is different from mine and I don't see that he has found a solution yet.

Just another helpful tip should anyone encounter it. If you use the NTP service, and it stalls, the AT&T MicroCell will stop working, but the Sprint MicroCell will keep working.  Apparently AT&T's unit demands a time sync.  The NTP service might say it's running but a packet capture will show a flood of unanswered port 123 traffic on the LAN. How did the NTP service stop working, you ask?  Since NTP service beats Unbound to the clock on bootup, NTP never starts unless manually started. The log reports, NTP could not resolve hostname.  So I figure I'll use an IP addy for the NTP server address so it won't have to resolve.  Well can you believe time.nist.gov IP addy changed a couple days ago?  This locked up the NTP service, which broke all Microcells on the network. Nice eh… ver 2.1R-64b

You REALLY don't like OpenVPN right? :P Let's put this very simple: If you want to be able to selectively route internet traffic through the link, **forget about IPsec *** If you really want to use IPsec, you will be able to access the VPS and its subnet with no problems. Just create a regular Phase1, and then an appropriate Phase2 which links the subnets. Allow all traffic on the IPsec "interface" on the firewall rules, and you are done Regards! Disclaimer, just to be technically correct, hehe: actually you could route some internet traffic if you manage to know the certain IP address/ranges that those sites utilize, by creating a Phase2 on both firewalls, with that subnet. Even if you could do it, it will be waay too cumbersome for something that you can easily achieve with an OpenVPN tunnel

You may post your cisco config if you want someone to be able to help

Hi Jim, On page 433 in the IPsec chapter of the 2.1 draft document, it says "if [the network option] is unchecked, the clients will attempt to send all of their traffic, including Internet traffic, across the tunnel". Assuming I am ok handling the Internet traffic, wouldn't this bypass any conflicting ip address issues as described in this thread? –jason @jimp: The NAT must be done on the client side before it leaves. The other router can never see the address. In the case of the LANs overlapping, both sides must do the NAT so they appear to be on different subnets. You can't do all of the NAT on one side in both directions. Save yourself a ton of time and headaches, just bite the bullet and renumber the side you have more control of now.

I was NATing the wrong IP.  I use a secondary public IP as a virtual IP address in PFSense.  Had to setup a manual outbound NAT for my IPSEC IP's.  So if my IPSEC LAN IP's are 192.168.99.0/24 then I need to setup an outbound NAT for 192.168.99.0/24 to my public IP x.x.x.x.  Once setup I had internet.

Nobody?  Trying to figure out if its a config issue or just suppose to be this way.  Any ideas would be helpful. Thanks.  8)

Greetings Joe. I had had 0 problems setting up WatchGuard models to connect to pfsense. It is all a vanilla install. Easy as pie. The errosr that you're seeing are strange though. Sep 27 10:39:39  racoon: ERROR: sendto (Operation not permitted) Sep 27 10:39:39  racoon: ERROR: sendfromto failed Sep 27 10:39:39  racoon: ERROR: phase1 negotiation failed due to send error. 66b1e254686db797:0000000000000000 Sep 27 10:39:39  racoon: ERROR: failed to begin ipsec sa negotication. I've never seen these errors before. Google brings up http://lists.freebsd.org/pipermail/freebsd-net/2012-July/032726.html. Are you sure your settings match? Double check. Not much help I know, sorry…

forgot to upload the most important thing … IPsec' log [image: 19.jpg] [image: 19.jpg_thumb] [image: 20.jpg] [image: 20.jpg_thumb]

If I understood correctly, you want 2 sites (which are not connected directly between them), to use your main office as "hop" to get connected? If that's the case, it is a routing problem. BranchA doesn't know that it has to route traffic intented to BranchB through your main office. Since you cannot really add static routes that play with IPsec, the solution is to add another Phase2 at BranchA and BranchB (and the main office, of course) which connects the opposite site subnet. Example: let's say main office is 192.168.0.0/24, BranchA is 192.168.1.0/24 and Branch B is 192.168.2.0/24 On BranchA you add a Phase2 that reads: Local Subnet: 192.168.1.0/24 Remote Subnet: 192.168.2.0/24 Same (but opposite) on BranchB and main office. You would need as many Phase2's as sites you want connected. After that it should work. Some time ago I had the same problem and solved it in this way. Whether you can add or not another Phase2 on the Netgear firewalls, that's a different story. You could also solve this by using NAT before IPsec (which should be available on 2.1, haven't tested it yet), but you won't have full transparent connectivity. Regards!

And, if possible, openvpn would be a step up…  Unless there is something that prevents it.

Anyone that have a clue what could be wrong here?

Presume you set iPhone VPN configuration "SEND ALL TRAFFIC" to "ON". This is a good resource for OpenVpn client setup. http://www.guizmovpn.com/index.php?option=com_agora&task=topic&id=559&Itemid=14

I'm not sure, I don't recall seeing anyone mention it before. You can open a feature request on redmine (target = future) if you like, but search a little there first to make sure there isn't one already.