Found out what the problem was.
My WAN interface is down, and i configered the IPsec tunnel from opt1.
When i Disabled WAN interface my vpn was working :)

Additional observation:
Even though wireless devices can't be seen remotely(thru tunnel), devices that are connected via cat5 directly into the WAP can be seen just fine from remote office(thru tunnel).
Here's a diagram of the local office networking devices:

Circuit
    |
pFsesnse
    |                    cat5                        cat5
24port switch <–----------- WAP--------------------
    |                                    |                              |
workstations                      Wireless devices      Wired devices

The wireless devices from the WAP cannot be seen on network from remote location(thru tunnel).  Wired devices connected to WAP can be seen from remote location(thru tunnel).
Locally, all devices (wired and wireless) can connect to each other.

I was able to solve the problem from this post: http://efwsupport.com/index.php?topic=497.0

@daytron:

Following the RH/Centos doc for establishing a networ-to-network tunnel between two RH/Centos boxes is dead easy. However what is not documented is that by default both AH and ESP encryption are used in stage 2. By default, Endian/openswan only uses ESP encryption.

This also appears to be true for pfSense.

I changed the config of the Centos computer and now the tunnel works.

Centos ipsec config
–-----------------
/etc/sysconfig/network-scripts/ifcfg-ipsec0

TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
AH_PROTO=none
SRCGW=172.20.2.1
DSTGW=172.20.1.20
SRCNET=172.20.2.0/24
DSTNET=172.20.1.0/24
DST=1.1.1.1

You can delete the entry you see, it is not used.

jimp,

Thanks for your reply.

Can you tell me how can I set up this 1:1 or outbound NAT on my IpSec interface ?

Thank you.

Érico

I managed to get this setup so this is what I found

you can use the same ip address for multiple tunnels I have used different keys + identifier for each tunnel I setup a keepalive but not sure if its needed Setup iperf to send as much traffic as possible through all the links for an hour or so and watched to make sure non of the connections dropped. They did about every 6 minutes but came backup within a few seconds which isnt ideal but i can probably cope with.

there are quite a few people running pfSense in a VM (I dont)
I would suggest doing a traceroute, and looking at the logs on all systems (default gateway, pfSense) as it sounds like the route is not being forwarded/routed to the pfSense system, but the VPN is up.

Anyone?

@jimp:

Did you add firewall rules to the L2TP interface after turning on L2TP?

If you can connect but not transmit data, that is likely the problem (same with PPTP on 2.0)

1.2.3 doesn't work with any connection type that I tried.

My Firewall rules where setup to pass all, nothing is being blocked by the rules.

The Android Phone says the connection failed. (PPTP, L2TP)

I tried m0n0wall 1.3.2 for the PPTP connection and that did not work either (not supper relevant but may be save someone else the time of testing that)

Thanks for your help for me!

I installed a proxy server on the network 172.19.60.0/24 and provide all customers with access through it.
;) ;) ;)

Not easily with IPsec. With OpenVPN you can use CSC entries to force people onto specific IPs, and on pfSense 2.0 you can also force them to use username/password, and also check that the username matches the certificate name.

http://doc.pfsense.org/index.php/Why_can't_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F

you could do a cron job for the reboot and that way the system would reboot at the specified time
I think either of the below will work, set the cron job to do one of the commands at the specified time

shutdown -r now reboot

It likely will not be possible in that case, unless you can do it with CIDR summarization (use a subnet mask that will cover the subnets on either end) but getting that to match up with two remote sites may not be possible.

Multiple subnets between two sites, sure, but not three.

You can't do NAT with IPsec on pfSense 1.2.3. 2.0 might work, but NAT+IPsec still needs some testing there. It has been reported to work in posts under the 2.0 forum here.

It's not required. If that made your tunnel work, then something else may have been wrong.

I run plenty of tunnels without that field filled in, though I generally do fill it out since it's convenient to have.