It can work but you need to make changes to both IPsec tunnels so that they include networks for Host 1 and Host 2.

The screens are largely the same between them. Just match up the phase 1 and 2 settings. http://doc.pfsense.org/index.php/VPN_Capability_IPsec http://doc.m0n0.ch/handbook/ipsec.html

Yes, the necessary firewall rules are added automatically.

No I gave up and setup an openvpn box in my VPC on the same box running the NAT

I have a PPPOe WAN, so that may very well be the problem. Will try the 2.0.3 sometime. Thanks. Lex

Hi I am back again. I've been using IPSEC in tunnel mode for a while but I am giving transport another go. I have tried again and I cannot get IPSEC transport mode to come up. I have disabled IPSEC ESP and am just using AH for the time being. I have allowed both protocols on the WAN interface (ESP & HA) from the public IP address of each side to "any" (as well as ICMP from either sides) Prefer old IPSEC SAs is OFF I have: IP: IPv4 INTERFACE: WAN REMOTE GATEWAY: PUBLIC IP OF OTHER SIDE AUTHENTICATION PROTOCOL: Mutual PSK NEGOTIATION: Agressive MY IDENTIFIER: My IP Address PEER IDENTIFIER: Peer IP Address PRESHARED KEY: <psk>(COPY & PASTED, THEY ARE THE SAME) POLICY GENERATION: Default PROPOSAL CHECKING: Default ENCRYPTION ALGORITHM: 3DES HASH ALGORITHM: SHA384 DH KEY GROUP: 2(1024 bit) LIFETIME: 28800 NAT TRAVERSAL: DISABLE DEAD PEER: UNCHECKED And for Phase 2: MODE: TRANSPORT PROTOCOL: AH HASH ALGORITHMS: MD5 PFS KEY GROUP: OFF LIFETIME: 86400 AUTOMATICALLY PING HOST: BLANK I know in IPSEC it is CRITICAL to make sure sides match, so I have ensured. I've deleted the SPD on both sides and restart racoon and still comes up with "error" under Status > IPSEC. No obvious errors in the logs (Ive googled just about everything in there) GRE is up and running, with OSPF over it. I can ping/access my remote subnets, but it breaks when I turn on IPSEC. I'd be really grateful for any ideas!</psk>

If you are in the same subnet, the WAN rules have reply-to on them which sends the data back via the gateway. That breaks what you're trying to do. You can disable reply-to in the advanced options on the firewall/NAT tab.

Thanks for the explanation. For those who have the same problem, I've solved it with a workaround, for now. I've: assigned a virtual IP (192.168.2.1) on LAN interface set up apposite rules on firewall/NAT section (included Manual Outbound NAT) added a new address (for eg. 192.168.2.5) on the network card of internal Windows machine and a new gateway 192.168.2.1 (with a higher metric than default to not interfere with the previous state) in the Windows machine set up a new permanent route to 10.1.0.0/16 net via 192.168.2.1 gateway It works!

That's not the same problem. Something there is attempting to negotiate with mismatched settings.

Using 2.1-Beta1 (i386) built on Sun Dec 30 22:21:30 EST 2012 The following settings worked for me to allow access to my internal networks by name or ip and still be able to browse the web or other networks. Mobile clients tab: I made sure I had "Provide a list of accessible networks to clients" is checked. Tunnels tab: I had to create three phase 2 and then add the following in each Local Network. Network Type: 10.0.0.0/8 Network Type: 172.16.0.0/12 Network Type: 192.168.0.0/16

Pitty. At least now I know I can stop looking for a solution for it :) Thanks!

Thx…

Completely different animal. I had thought it would be simpler but it requires a bit of heavy lifting to make that work. That's why we chose to do the gateway group method instead of that sort of failover. Would still be nice to figure out eventually, but a bit beyond my understanding of racoon's config and how we'd have to set it all up. (Plus the other end would have to support it, too)

It works, thank you  ;) It looks like Mikrotik supports that pretty well :) Michael

Is this a TYPO or do the Windows 7 versions not support this ?? You need Windows Vista or Windows 2008 or later. TIA –

Thanks Jimp, Unfortunately I don't have a crypto / accelerator card in the PFSense machine. It's a Dual Core HP XW4600 workstation with a DLINK DFE570TX card for the WAN / LAN. I have tried just about every configuration I can think of, have remotely controlled the Watchguard and checked, the settings are identical in every way. I can never get passed that last message. I have successfully set up an IPSEC VPN tunnel between this box and a couple of Draytek Vigor boxes, just can't get the Watchguard Firebox to talk. If there is someone out there in the UK that has done this I would be more than happy to pay them to sort this out. I just need to get it up and running else face having to split my network out with a router in front of PFSense and have the client drop their own Watchguard box into the mix. Thanks Graham

Yesterday I setup my iPad to our 2.01 and I can login to our office. But I can't exchange a single package with the LAN… This is what I see in the IPsec log: Dec 19 09:50:35 racoon: ERROR: pfkey ADD failed: Invalid argument Dec 19 09:50:35 racoon: ERROR: pfkey UPDATE failed: Invalid argument Dec 19 09:50:35 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1) Dec 19 09:50:35 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel Dec 19 09:50:35 racoon: [Unknown Gateway/Dynamic]: INFO: Update the generated policy : 10.10.115.1/32[0] 0.0.0.0/0[0] proto=any dir=in Dec 19 09:50:35 racoon: [Self]: INFO: respond new phase 2 negotiation: XXX.91.YY.41[4500]<=>80.187.106.225[26197] Dec 19 09:50:34 racoon: WARNING: Ignored attribute 28683 Dec 19 09:50:34 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY Dec 19 09:50:32 racoon: INFO: login succeeded for user "mirco" Dec 19 09:50:32 racoon: INFO: Using port 0 Dec 19 09:50:20 racoon: [Self]: INFO: ISAKMP-SA established XXX.91.YY.41[4500]-80.187.106.225[26197] spi:82161d7a2a95cc61:cf66e0881b9324d2 Dec 19 09:50:20 racoon: INFO: Sending Xauth request Dec 19 09:50:20 racoon: INFO: NAT detected: ME PEER Dec 19 09:50:20 racoon: [80.187.106.225] ERROR: notification INITIAL-CONTACT received in aggressive exchange. Dec 19 09:50:20 racoon: INFO: NAT-D payload #1 doesn't match Dec 19 09:50:20 racoon: INFO: NAT-D payload #0 doesn't match Dec 19 09:50:20 racoon: [Self]: INFO: NAT-T: ports changed to: 80.187.106.225[26197]<->XXX.91.YY.41[4500] Dec 19 09:50:19 racoon: INFO: Adding xauth VID payload. Dec 19 09:50:19 racoon: [Self]: [XXX.91.YY.41] INFO: Hashing XXX.91.YY.41[500] with algo #2 (NAT-T forced) Dec 19 09:50:19 racoon: [80.187.106.225] INFO: Hashing 80.187.106.225[500] with algo #2 (NAT-T forced) Dec 19 09:50:19 racoon: INFO: Adding remote and local NAT-D payloads. Dec 19 09:50:19 racoon: [80.187.106.225] INFO: Selected NAT-T version: RFC 3947 Dec 19 09:50:19 racoon: INFO: received Vendor ID: DPD Dec 19 09:50:19 racoon: INFO: received Vendor ID: CISCO-UNITY Dec 19 09:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Dec 19 09:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Dec 19 09:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Dec 19 09:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 Dec 19 09:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04 Dec 19 09:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05 Dec 19 09:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06 Dec 19 09:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 Dec 19 09:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08 Dec 19 09:50:19 racoon: INFO: received Vendor ID: RFC 3947 Dec 19 09:50:19 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Dec 19 09:50:19 racoon: INFO: begin Aggressive mode. Dec 19 09:50:19 racoon: [Self]: INFO: respond new phase 1 negotiation: XXX.91.YY.41[500]<=>80.187.106.225[500] Dec 19 09:49:58 racoon: INFO: Released port 0 Dec 19 09:49:58 racoon: [Self]: INFO: ISAKMP-SA deleted XXX.91.YY.41[4500]-192.168.115.253[4500] spi:4eeff2d9004bf1d5:d1a4149da651122f Dec 19 09:49:58 racoon: INFO: deleting a generated policy. Dec 19 09:49:58 racoon: INFO: purged ISAKMP-SA spi=4eeff2d9004bf1d5:d1a4149da651122f:000034a2. Dec 19 09:49:58 racoon: INFO: purging ISAKMP-SA spi=4eeff2d9004bf1d5:d1a4149da651122f:000034a2. And the filter log does only recognise my iPad because our Zarafa Server is trying to access it on the old extern 3G-IP When trying to test the connection by accessing an internal Webserver by IP all I get is a timeout… And yes I've setup an any<>any rule for the IPsec interface! Greetz Mircsicz Edit: I followed this Doc: http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 and as I'm on an ALIX I suffer from the glxsb driver prob from this thread: http://forum.pfsense.org/index.php/topic,56289.0.html so after disabling glxsb it work's as expected...