I beleive you are trying to Policy NAT, which pfSense cannot do at this time (1.2.2). I am not sure in what version, but I heard that functionality will be added in the future.
Once it is, pfSense will replace my Cisco HW, but I fear it will be a very long wait.

It just looks like the tunnel hasn't tried to establish, as if no traffic has tried to enter the tunnel.

The messages you are seeing are typical of a normal IPsec startup, but there are no messages in there about a tunnel negotiating.

So either nothing has tried to pass on the tunnel, or the two systems cannot really reach one another one the WAN.

It is most likely a configuration issue with your policy settings. Please post screen shots of your config on both sides and make sure you are running 1.2.3-rc3

In case this helps anyone else, I eventually got this working on the physical setup in my original post. I replaced our old DSL modem with a Linksys WAG54G2, mainly because it features VPN passthrough. After that everything instantly worked.

Even though the field is marked MTU, it doesn't really set the MTU. Read the fine print:

If you enter a value in this field, then MSS clamping for TCP connections to the value entered above minus 40 (TCP/IP header size) will be in effect. If you leave this field blank, an MTU of 1492 bytes for PPPoE and 1500 bytes for all other connection types will be assumed.

If you really need to set the MTU you can do it from the shell. http://www.freebsd.org/cgi/man.cgi?query=ifconfig&apropos=0&sektion=0&manpath=FreeBSD+7.2-RELEASE&format=html
To survive a reboot, you would need to add a startup command to the xml.

You should be able to do this with the 2.0 snaps, but I haven't tried one lately.
For a stable release, you could aggregate your subnets (easier, but not always possible) or setup parallel tunnels. More info here: http://doc.pfsense.org/index.php/IPSec_with_Multiple_Subnets

My IPSEC tunnels have always connected, but sometimes wouldn't reconnect.  I switched to RC3 and a lot of this was fixed.  The only tunnel I have problems with is one over a wireless connection.

If your tunnels are establishing, but no data passing, be sure to double-check your firewall to make sure there are IPSEC rules to allow it.  I forgot to do this after replacing a pfsense router, and it caused me grief.

Yes.

Note that the majority of the work (certificate creation) is done by the administrator.  You simply supply the config file and key.  It should be trivial to ship a script to install those.

Hi.

Does anyone know howto route vpn over OPT1/WAN2?
I really need to do  it.

cheers.

stewie

Hi.

I was able to establish SA. the pfsensedocs tutorial is not working for me.
This one: http://www.pfsense.org/mirror.php?section=tutorials/mobile_ipsec/
I did a static2static setup with an additional tunnel on the static site and a psk record on the dynamic site (identifier == pubIP of static site). I hope I dont get problems with the dyndns adress of the dynamic site.
Has anyone a dynamic2static ipsec setup running?
I always want the dynamic site to initiate the SA to the static site.

Cheers

problem solved, first post edited. i don't know if what i was asking wasn't clear enough, it's hard to believe no one else could provide this answer. the only two downsides of pfsense are it's poor logging capabilities, bugs and lack of support. given that it's free i guess that makes up for it.

I have checked this yet again, 3 times in a row actually and behavior is consistent.

When I edit a key on tab 'pre-shared keys' and press 'save', I get the 'apply' button on same tab.
I press that 'apply' button. This should be it I guess.

I then get directed to first tab 'tunnels' when page reloads. Nothing looks weird here.

If I at this point go to 'mobile clients' there is an 'apply' button there too.
And if going back to 'pre-shared keys' the button is re-appearing there.

If I press the one at 'mobile clients' tab there's no button on any of the 4 tabs afterwards.

As soon as the one on 'mobile clients' is pressed the other one dissapears, regardless in what order the tabs have been viewed in between.

So I indeed do have to press an 'apply..' button on 2 different tabs it seems.
I don't have mobile clients nor tunnels active when doing this.

step1-new_preshared.JPG
step1-new_preshared.JPG_thumb
step-2.JPG
step-2.JPG_thumb
step-3.JPG
step-3.JPG_thumb
step-4.JPG
step-4.JPG_thumb

it just started working!!!!!!!!! i didnt change a thing, people can use my screens if they need help setting up ipsec with pfsense and a linksys BEFVP41

I got it working.  Something was wrong internally with a firewall rule.  I deleted all of my wan and ipsec rules, rebooted, and put the rules back.  Now it's happy….

@blak111:

Does your firewall allow rule on the LAN interface use the default routing table?

firewall rule -  "from any to any" for all interfaces ….

Hello Olejack,

Did you finally solve your issue ?
I'd be very interested as I have the same right now.
I've tried to lower MTU on the WAN interface configuration but it's not taken into account even after a reboot.
A ifconfig shows an MTU of 1500 even though I entered 1300.
I can't find any topic where someone succeeded in modifying the IPSEC MTU.
Im' considering to replace ipsec with openvpn maybe.

About commercial support, I've asked once for tinydns support and never had any reply …

Thanks for your help.

SOLVED

i have filled the mobil client section, now it works

thanks for help

Did you check the doc wiki?

http://doc.pfsense.org/index.php/VPN_Capability_IPsec