It would probably work on 2.0 since you can do IPsec and L2TP together there, but there aren't yet any instructions for doing L2TP/IPsec so it would take a bit of trial and error to get going.

If the subnet is specified as the remote subnet for the IPsec tunnel, it should already be using the tunnel.

That said, IPsec doesn't route in the traditional sense. If traffic matches the tunnel definition, it's just grabbed and put on the tunnel.

Cool thanks got it all working.

For now this is the workaround:

'Prefer old IPsec SAs' enabled
lifetime on phase2 60 seconds

Regards, Andrea.

Everything is blocked by default.

If you want to allow access in across the tunnel, you need rules on the tunnel interface.

Hi,

there is only a tunnel between Site A 172.16.1.0/24 and site B (lan) 172.16.2.0/24!

ping failed because of missing tunnel. Ipsec is not routed.

U need to add parallel tunnel on both sites for Network 10.5.1.0.

Site A 10.5.1.0/24 (lan) <–-> site B (lan) 172.16.2.0/24

If u want to route VPN traffic use OpenVPN.

you cant access networks over a vpn from pfsense itself by default, it looks like thats what you are doing.

Yes, thats caused by Freebsd ipsec implementation.

u need to set source ip (interface) or u need to define a static route.

Remember Lan ip must match tunneldefinition to work.

cya

OK - finally got it working…

First - I had no "generate_policy" command
Then - I had various firewall issues on the pfSense end (it would make sense to have some indication that the IPsec connection will be pointless until explicitly openned)
Then - I had firewall issues on the other end
Then - I had routing issues on the other end (masquerading got done before IPsec got a look in)

My head hurts.

I'm going for a lie down.

That /usr/local/bin/ping_hosts.sh is run a different way.

In /etc/rc:

It's probably already running if you check the output of "ps uxawww | grep minicron"

The actual cron job is redundant though, I'm not sure it's needed/relevant these days.

The problem was on Cisco side - when pfSense site-to-site is not the first connection in config file tunel does not work.

[SOLVED]:

Here was the main hangup, I needed to use nat-t to work from behind other nats and to do that I created a firewall rule under wan, to allow udp traffic through port 4500.  This allowed me to get past phase 1 and 2.  I then remembered that I was switching around the ipaddress for the remote client, putting it inside my subnet then outside and back in.  I reread the tutorial and it does clearly say to use an ip ouside your subnet, so I was just giving myself headaces by not sticking with the totorial after opening port 4500.

Long story short,

to enable nat-t, create a firewall rule under wan, for udp port 4500 and follow the tutorial! ;)

I may have resolved my issues today, time will tell but it seems to auto reconnect without issues.

My issue was the watchguard if reboot would not reconnect, yet if I reboot my PFsense box it would work.

I now set my Phase 1

Encryption algorithm: 3DES
Hash algorithm: MD5 (this was Sha1) before

I made sure the watchgaurd matches, and it seems to work now. what are your phase1 algorithms?

When I get issues with IPSec to where nothing will bring the tunnel back up, I change the PSK and it works again, I have to do this every 2-3 months. I too am migrating to OpenVPN.

Solved the problem! I have checked the option System -> Advanced -> Miscellaneous -> IPsec SA preferral -> Prefer old IPsec SAs and tunnels seem not to fall down any more.

Ok. Yes, the box was checked in my advanced configuration. I unchecked it to see if it makes a difference.

Thanks.