That should just be a matter of pushing the correct routes and having the right firewall rules. Certainly I have done that using OpenVPN without problems.
I got it working, most clients can connect some can't due to their firewalls. I've verified IPSEC passthrough is enabled but that doesn't matter. I've tried to enable NAT-T but then nothing works. It breaks IPSEC completely on the pfsense box.
Also, the ones that do work require me to set static dns, if I enter the dns servers on the DNS tab of the shrew client it doesn't work at all. Any thoughts? When will there be a solid road warrior implementation of IPSEC? Will there be or is OpenVPN expected to replace it?
Currently, you have to manually fail over. I have disabled tunnels setup on the second WAN. When the main WAN fails, I disable the primary tunnel and enable the backup. I set this up awhile ago and remember having to set static routes to get it working, I'm not sure if this is still needed. Search a bit on ipsec failover or somesuch.
I have the same (or similar) issue. pfSense1.2.2–-> Fortigate FG-500A cluster. Tunnels come up fine, but when the P2 key lifetime ends, the tunnels go down. I checked both configs and they are equal. Any ideas?
Forgot to mention that I am running MR6 P3 on the FGs and that disabling and re-enabling IPSEC on the pfSense solves the issue. Should I maybe schedule a CRON job that does that in conjunction with the P2 expire?
I'm not sure w/ ipsec, but it is definitely possible via openvpn (ssl).
see: http://openvpn.net/index.php/open-source/documentation/howto.html#redirect
Unfortunately this settings doesn't work. I have a green ok indication on both sides but after a minute the comunication is down. I can't understand why. I already done another ipcops and pfsense ipsec tunnel with no problems but with the pfsense 1.2.2 vers. I found in my ipsec logs (pfsense side) :
Sep 9 11:09:45 racoon: [vpn a cordoba]: ERROR: pfkey DELETE received: ESP wan pfsense[500]->IPCOP RED IP[500] spi=3607332516(0xd70386a4)
Sep 9 11:09:45 racoon: [vpn a cordoba]: INFO: IPsec-SA established: ESP wan pfsense[500]->IPCOP RED IP[500] spi=3865395393(0xe66540c1)
Sep 9 11:09:45 racoon: [vpn a cordoba]: INFO: IPsec-SA established: ESP IPCOP RED IP[0]->wan pfsense[0] spi=184063618(0xaf89682)
Sep 9 11:09:45 racoon: [vpn a cordoba]: INFO: respond new phase 2 negotiation: wan pfsense[500]<=>IPCOP RED IP[500]
Sep 9 11:09:45 racoon: [vpn a cordoba]: INFO: ISAKMP-SA established wan pfsense[500]-IPCOP RED IP[500] spi:dd3240523b1a178a:5edb221090fa00e5
Sep 9 11:09:45 racoon: INFO: received Vendor ID: DPD
Sep 9 11:09:45 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Sep 9 11:09:45 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Sep 9 11:09:45 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Sep 9 11:09:45 racoon: INFO: received Vendor ID: RFC 3947
Sep 9 11:09:45 racoon: INFO: begin Identity Protection mode.
Sep 9 11:09:45 racoon: [vpn a cordoba]: INFO: respond new phase 1 negotiation: wan pfsense[500]<=>IPCOP RED IP[500]
Sep 9 11:09:44 racoon: [vpn a cordoba]: INFO: ISAKMP-SA deleted wan pfsense[500]-IPCOP RED IP[500] spi:022ba8fc052bf43f:8d9b0dfde61e13d8
Sep 9 11:09:43 racoon: [vpn a cordoba]: INFO: ISAKMP-SA expired wan pfsense[500]-IPCOP RED IP[500] spi:022ba8fc052bf43f:8d9b0dfde61e13d8
Sep 9 11:09:12 racoon: [vpn a cordoba]: ERROR: pfkey DELETE received: ESP wan pfsense[500]->IPCOP RED IP[500] spi=253583350(0xf1d5ff6)
Sep 9 11:09:12 racoon: [vpn a cordoba]: INFO: IPsec-SA established: ESP wan pfsense[500]->IPCOP RED IP[500] spi=3607332516(0xd70386a4)
Sep 9 11:09:12 racoon: [vpn a cordoba]: INFO: IPsec-SA established: ESP IPCOP RED IP[0]->wan pfsense[0] spi=55126245(0x34928e5)
Sep 9 11:09:12 racoon: [vpn a cordoba]: INFO: respond new phase 2 negotiation: wan pfsense[500]<=>IPCOP RED IP[500]
Sep 9 11:09:12 racoon: [vpn a cordoba]: INFO: ISAKMP-SA established wan pfsense[500]-IPCOP RED IP[500] spi:022ba8fc052bf43f:8d9b0dfde61e13d8
Sep 9 11:09:11 racoon: INFO: received Vendor ID: DPD
Sep 9 11:09:11 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Sep 9 11:09:11 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Sep 9 11:09:11 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Sep 9 11:09:11 racoon: INFO: received Vendor ID: RFC 3947
Sep 9 11:09:11 racoon: INFO: begin Identity Protection mode.
Sep 9 11:09:11 racoon: [vpn a cordoba]: INFO: respond new phase 1 negotiation: wan pfsense[500]<=>IPCOP RED IP[500]
Sep 9 11:09:10 racoon: [vpn a cordoba]: INFO: ISAKMP-SA deleted wan pfsense[500]-IPCOP RED IP[500] spi:854e2e340ea487c6:f5eda415ea8305a6
Sep 9 11:09:09 racoon: [vpn a cordoba]: INFO: ISAKMP-SA expired wan pfsense[500]-IPCOP RED IP[500] spi:854e2e340ea487c6:f5eda415ea8305a6
I am using the 2.1.5 BETA RC2 (not even latest one; haven't tried latest one yet released a few days ago) on RTM release of Windows 7 and I can connect to all of my pfSense FW at 4 different companies (2 T1's and 2 DSL) - just works.
It turns out the problem with the Cisco VPN client wasn't a problem, wifey didn't remember her passcode right…
Anyway, the Watchguard Mobile VPN is still not working.
I have setup a few rules in the firewall: allow all communication on ports 500 and 4500 from any to any, and allow ESP and AH protocols from any to any. All those four rules are under "WAN" tab in the Firewall rule table page in the webGUI - do I need anything under the "LAN" tab?
