What kinda of rules do you have set up?  Depending on the rules you have, have to add a rule for DCHP to be passed.  You also need to make sure that you DCHP server is setup to relay.  By default it is turned off on Windows 2003.

RC

If anyone has found the solution can they please post it?  I have ran across this same issue.  I have tried everything i can think of… nothing seems to fix this issue.

Well, after pulling my hair out of my head  ???, we decided to use another public address, and then… it worked...
thanks everyone for their valuable help! :)

best regards!

Well we contacted the ISP and they say nothing is wrong with the connection.
I had one location not far away from the Fiber Site witch has monowall running, but did not needed to connect to the main site.
I tried to setup an IPSEC tunnel from there (with monowall) and it worked like it should.   ???

So now i  have a fiber site with pfsense 1.2.3RC1 that cannot transfer data with other pfsense locations(1.2, 1.2.1 and 1.2.2), but can with a monowall site.

i am totaly lost here.

one of my SDSL routers is also 1.2.3 RC1 so it could not be the version i guess.

if i let the csup go i get this a s a result.

csup -g -L2 /usr/local/etc/cvsup/ports-supfile Parsing supfile "/usr/local/etc/cvsup/ports-supfile" Connecting to 192.168.1.22 Connected to 192.168.1.22 Server software version: SNAP_16_1h Negotiating file attribute support Exchanging collection information Establishing multiplexed-mode data connection Running Receiver: Operation timed out

hense is can remotly ssh to that cvsupd deamon machine and stay conected for more than one hour giving commands and so on.

what i also see on the Fiber site is the following in a tcpdump on the wan side of the firewall.
do not know if it could be something with that.
I did the following.
start the capture, then hit the command csup -g -L2 /usrlocal/etc/cvsup/port-supfile (wich connect to 192.168.1.22 on the main fiber side.)
When it says Running i stopped the capture.

21:25:50.556717 IP (tos 0x10, ttl 255, id 55615, offset 0, flags [DF], proto VRRP (112), length 56, bad cksum 0 (->c893)!) 193.173.YYY.YYY > 224.0.0.18: VRRPv2, Advertisement, vrid 53, prio 0, authtype none, intvl 1s, length 36, addrs(7): 244.201.250.45,239.151.131.255,91.102.75.234,67.104.75.221,239.214.110.143,61.144.15.165,67.129.197.78 21:25:50.626712 IP (tos 0x10, ttl 255, id 55361, offset 0, flags [DF], proto VRRP (112), length 56, bad cksum 0 (->c991)!) 193.173.YYY.YYY > 224.0.0.18: VRRPv2, Advertisement, vrid 54, prio 0, authtype none, intvl 1s, length 36, addrs(7): 56.54.235.42,173.40.246.67,169.202.181.189,144.245.123.176,201.113.242.40,255.220.146.215,47.168.165.213 21:25:51.276823 IP (tos 0x10, ttl 255, id 52523, offset 0, flags [DF], proto VRRP (112), length 56, bad cksum 0 (->d4a7)!) 193.173.YYY.YYY > 224.0.0.18: VRRPv2, Advertisement, vrid 50, prio 0, authtype none, intvl 1s, length 36, addrs(7): 233.106.174.249,155.20.150.202,211.34.143.254,15.186.44.85,158.20.184.87,103.232.91.113,201.21.228.48 21:25:51.456717 IP (tos 0x10, ttl 255, id 16938, offset 0, flags [DF], proto VRRP (112), length 56, bad cksum 0 (->5fa9)!) 193.173.YYY.YYY > 224.0.0.18: VRRPv2, Advertisement, vrid 52, prio 0, authtype none, intvl 1s, length 36, addrs(7): 233.153.49.198,230.152.10.223,42.57.100.58,141.190.174.130,26.119.72.102,234.42.140.127,40.41.89.109 21:25:51.566720 IP (tos 0x10, ttl 255, id 8805, offset 0, flags [DF], proto VRRP (112), length 56, bad cksum 0 (->7f6e)!) 193.173.YYY.YYY > 224.0.0.18: VRRPv2, Advertisement, vrid 53, prio 0, authtype none, intvl 1s, length 36, addrs(7): 203.193.59.95,236.64.210.109,202.60.129.232,98.65.160.2,188.182.97.39,133.249.204.141,146.127.198.175 21:25:51.636722 IP (tos 0x10, ttl 255, id 37934, offset 0, flags [DF], proto VRRP (112), length 56, bad cksum 0 (->da5)!) 193.173.YYY.YYY > 224.0.0.18: VRRPv2, Advertisement, vrid 54, prio 0, authtype none, intvl 1s, length 36, addrs(7): 142.169.150.134,96.208.150.73,59.63.216.151,199.179.137.75,13.57.85.140,44.126.209.202,250.61.160.113 21:25:52.086603 IP (tos 0x0, ttl 57, id 43754, offset 0, flags [none], proto ESP (50), length 112) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x40e), length 92 21:25:52.096848 IP (tos 0x0, ttl 64, id 65102, offset 0, flags [none], proto ESP (50), length 112, bad cksum 0 (->fcfa)!) 193.173.XXX.XXX > 217.166.XXX.XXX: ESP(spi=0x0a842405,seq=0x34d), length 92 21:25:52.106606 IP (tos 0x0, ttl 57, id 33443, offset 0, flags [none], proto ESP (50), length 104) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x40f), length 84 21:25:52.126803 IP (tos 0x0, ttl 64, id 60469, offset 0, flags [none], proto ESP (50), length 144, bad cksum 0 (->ef4)!) 193.173.XXX.XXX > 217.166.XXX.XXX: ESP(spi=0x0a842405,seq=0x34e), length 124 21:25:52.136605 IP (tos 0x0, ttl 57, id 42443, offset 0, flags [none], proto ESP (50), length 104) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x410), length 84 21:25:52.136721 IP (tos 0x0, ttl 57, id 33521, offset 0, flags [none], proto ESP (50), length 128) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x411), length 108 21:25:52.146781 IP (tos 0x0, ttl 64, id 20094, offset 0, flags [none], proto ESP (50), length 120, bad cksum 0 (->acc3)!) 193.173.XXX.XXX > 217.166.XXX.XXX: ESP(spi=0x0a842405,seq=0x34f), length 100 21:25:52.156606 IP (tos 0x0, ttl 57, id 10201, offset 0, flags [none], proto ESP (50), length 104) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x412), length 84 21:25:52.156720 IP (tos 0x0, ttl 57, id 7111, offset 0, flags [none], proto ESP (50), length 152) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x413), length 132 21:25:52.176779 IP (tos 0x0, ttl 64, id 1369, offset 0, flags [none], proto ESP (50), length 120, bad cksum 0 (->f5e8)!) 193.173.XXX.XXX > 217.166.XXX.XXX: ESP(spi=0x0a842405,seq=0x350), length 100 21:25:52.176794 IP (tos 0x0, ttl 57, id 25585, offset 0, flags [none], proto ESP (50), length 184) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x414), length 164 21:25:52.176965 IP (tos 0x0, ttl 57, id 56203, offset 0, flags [none], proto ESP (50), length 104) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x415), length 84 21:25:52.186809 IP (tos 0x0, ttl 64, id 37728, offset 0, flags [none], proto ESP (50), length 104, bad cksum 0 (->67f1)!) 193.173.XXX.XXX > 217.166.XXX.XXX: ESP(spi=0x0a842405,seq=0x351), length 84 21:25:52.186986 IP (tos 0x0, ttl 64, id 65076, offset 0, flags [none], proto ESP (50), length 104, bad cksum 0 (->fd1c)!) 193.173.XXX.XXX > 217.166.XXX.XXX: ESP(spi=0x0a842405,seq=0x352), length 84 21:25:52.187000 IP (tos 0x0, ttl 57, id 39913, offset 0, flags [none], proto ESP (50), length 104) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x416), length 84 21:25:52.187111 IP (tos 0x0, ttl 57, id 8360, offset 0, flags [none], proto ESP (50), length 120) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x417), length 100 21:25:52.196772 IP (tos 0x0, ttl 64, id 51020, offset 0, flags [none], proto ESP (50), length 112, bad cksum 0 (->33fd)!) 193.173.XXX.XXX > 217.166.XXX.XXX: ESP(spi=0x0a842405,seq=0x353), length 92 21:25:52.196786 IP (tos 0x0, ttl 57, id 4520, offset 0, flags [none], proto ESP (50), length 104) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x418), length 84 21:25:52.206605 IP (tos 0x0, ttl 57, id 40382, offset 0, flags [none], proto ESP (50), length 104) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x419), length 84 21:25:52.206720 IP (tos 0x0, ttl 57, id 64645, offset 0, flags [none], proto ESP (50), length 136) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x41a), length 116 21:25:52.216801 IP (tos 0x0, ttl 64, id 37695, offset 0, flags [none], proto ESP (50), length 136, bad cksum 0 (->67f2)!) 193.173.XXX.XXX > 217.166.XXX.XXX: ESP(spi=0x0a842405,seq=0x354), length 116 21:25:52.226609 IP (tos 0x0, ttl 57, id 27029, offset 0, flags [none], proto ESP (50), length 104) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x41b), length 84 21:25:52.226743 IP (tos 0x0, ttl 57, id 15567, offset 0, flags [none], proto ESP (50), length 136) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x41c), length 116 21:25:52.246909 IP (tos 0x0, ttl 64, id 12856, offset 0, flags [none], proto ESP (50), length 200, bad cksum 0 (->c8b9)!) 193.173.XXX.XXX > 217.166.XXX.XXX: ESP(spi=0x0a842405,seq=0x355), length 180 21:25:52.256608 IP (tos 0x0, ttl 57, id 45255, offset 0, flags [none], proto ESP (50), length 104) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x41d), length 84 21:25:52.256740 IP (tos 0x0, ttl 57, id 61108, offset 0, flags [none], proto ESP (50), length 112) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x41e), length 92 21:25:52.286735 IP (tos 0x10, ttl 255, id 21571, offset 0, flags [DF], proto VRRP (112), length 56, bad cksum 0 (->4d90)!) 193.173.YYY.YYY > 224.0.0.18: VRRPv2, Advertisement, vrid 50, prio 0, authtype none, intvl 1s, length 36, addrs(7): 233.106.174.249,155.20.150.203,76.160.207.216,86.179.189.21,77.227.123.119,46.169.255.8,192.68.9.89 21:25:52.376795 IP (tos 0x0, ttl 64, id 10790, offset 0, flags [none], proto ESP (50), length 104, bad cksum 0 (->d12b)!) 193.173.XXX.XXX > 217.166.XXX.XXX: ESP(spi=0x0a842405,seq=0x356), length 84 21:25:52.386611 IP (tos 0x0, ttl 57, id 63728, offset 0, flags [none], proto ESP (50), length 112) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x41f), length 92 21:25:52.396781 IP (tos 0x0, ttl 64, id 44904, offset 0, flags [none], proto ESP (50), length 112, bad cksum 0 (->4be1)!) 193.173.XXX.XXX > 217.166.XXX.XXX: ESP(spi=0x0a842405,seq=0x357), length 92 21:25:52.406607 IP (tos 0x0, ttl 57, id 40878, offset 0, flags [none], proto ESP (50), length 104) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x420), length 84 21:25:52.406722 IP (tos 0x0, ttl 57, id 18343, offset 0, flags [none], proto ESP (50), length 112) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x421), length 92 21:25:52.416778 IP (tos 0x0, ttl 64, id 5916, offset 0, flags [none], proto ESP (50), length 112, bad cksum 0 (->e42d)!) 193.173.XXX.XXX > 217.166.XXX.XXX: ESP(spi=0x0a842405,seq=0x358), length 92 21:25:52.426607 IP (tos 0x0, ttl 57, id 34180, offset 0, flags [none], proto ESP (50), length 104) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x422), length 84 21:25:52.426720 IP (tos 0x0, ttl 57, id 5273, offset 0, flags [none], proto ESP (50), length 120) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x423), length 100 21:25:52.436779 IP (tos 0x0, ttl 64, id 47120, offset 0, flags [none], proto ESP (50), length 112, bad cksum 0 (->4339)!) 193.173.XXX.XXX > 217.166.XXX.XXX: ESP(spi=0x0a842405,seq=0x359), length 92 21:25:52.446606 IP (tos 0x0, ttl 57, id 19897, offset 0, flags [none], proto ESP (50), length 104) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x424), length 84 21:25:52.446720 IP (tos 0x0, ttl 57, id 64944, offset 0, flags [none], proto ESP (50), length 112) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x425), length 92 21:25:52.456782 IP (tos 0x0, ttl 64, id 39268, offset 0, flags [none], proto ESP (50), length 112, bad cksum 0 (->61e5)!) 193.173.XXX.XXX > 217.166.XXX.XXX: ESP(spi=0x0a842405,seq=0x35a), length 92 21:25:52.456906 IP (tos 0x0, ttl 57, id 39372, offset 0, flags [+], proto ESP (50), length 1492) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x426), length 1472 21:25:52.456934 IP (tos 0x0, ttl 57, id 39372, offset 1480, flags [none], proto ESP (50), length 72) 217.166.XXX.XXX > 193.173.XXX.XXX: esp 21:25:52.456947 IP (tos 0x0, ttl 57, id 53480, offset 0, flags [+], proto ESP (50), length 1492) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x427), length 1472 21:25:52.456968 IP (tos 0x0, ttl 57, id 53480, offset 1480, flags [none], proto ESP (50), length 72) 217.166.XXX.XXX > 193.173.XXX.XXX: esp 21:25:52.466616 IP (tos 0x0, ttl 57, id 29348, offset 0, flags [+], proto ESP (50), length 1492) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x428), length 1472 21:25:52.466638 IP (tos 0x0, ttl 57, id 29348, offset 1480, flags [none], proto ESP (50), length 72) 217.166.XXX.XXX > 193.173.XXX.XXX: esp 21:25:52.466650 IP (tos 0x0, ttl 57, id 59795, offset 0, flags [+], proto ESP (50), length 1492) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x429), length 1472 21:25:52.466669 IP (tos 0x0, ttl 57, id 59795, offset 1480, flags [none], proto ESP (50), length 72) 217.166.XXX.XXX > 193.173.XXX.XXX: esp

193.173.XXX.XXX is my faulty fiber site(CARP0) 217.166.XXX.XXX is my other site (in this case fiber also, from the same ISP)
193.173.YYY.YYY is the WAN address itself

On the other side 217.166.XXX.XXX i do not see those bad cksum's

I hope someone can shed a light on this.
And sorry for my poor explanation capability's in english

regards, and thanks for your time reading this
Johan

Hello,

I appear to be having a similar issue.

I have 3 PFsense boxes that i manage. All are running 1.2.3-rc1
All 3 firewalls are connected by ipsec tunnels over the internet and have mobile IPsec (road warrior) setup. I am using the shrew soft vpn client on win xp sp2

If i try to VPN using shrew soft to one of the other sites from behind my pfsense box i get the "negotiation timeout occurred" message. If i disconnect pfsense from my modem and plug my computer directly to the public net i can connect fine.

This happens at all 3 of my sites so i am assuming that there is a setting that needs to be tweaked in the outbound settings of whatever pfsense box i am behind to allow the connection out.

Any ideas on what i can check?

http://doc.pfsense.org/index.php/PfSense_to_Fortigate_IPsec

that's most likely it.  When he restarts his firewall it will come up but then drops  few days later.  I hope you all will figure it out soon.
RC

@hessie:

I wonder that there is so little interested for that.

I think there's a lot of interest in NAT VPN but those of us who are interested don't bother posting. We look to see if it is supported and if not we call up and order a router that has it. "natip" as Fortinet uses it is an essential feature for getting into big installations where conforming is not an option. I have no chance of dictating policy to large companies.

Fortinet Outbound NAT examples

Just tried this but it wouldn't work for me, just as if the tunnel was ignored. Anyelse tried this?

Thanks for your answers!

Renumbering the client networks is virtually impossible since we'd like the mobile users to be able to connect from anywhere so you never know what subnet you'll encounter.

Renumbering our own subnet is also tricky because we're in an Active Directory with six sites and a load of servers (Exchange, DC, fileservers, cvs servers, webservers, etc.). So while it's not impossible it will most likely be quite a feat to renumber our own network. It grew so historically and I inherited it from my predecessor.

Still I think changing our own subnet is the most sensible thing to do. Thanks for your input.

Perhaps too late, but I'll post it here anyway.

You need to allow these things in your firewall:

UDP port 500 for IPSec

protocol ESP (or AH if set that way)

UDP port 4500 for NAT-T

Worked perfect! Followed the tutorial and all was up working. Thank you wery much for you work.

I have tried wireless and from remote to mine with rc1 no issues here.  Just make sure you have all the patches loaded.

I am running 1.2.3.

RC

With Mobile IPSec, you generally hardcode a client's IP address in the client configuration, so you'll have some idea of which one is which.

If you have the Dashboard package installed, I've fixed it so the IPSec status widget properly shows the status of mobile clients which are connected. It will list the peer IP address as well as the VPN IP address for the client. Unfortunately, as far as I can tell there is no way to see which client is which based on the identifier. I'd really like the ability to match them up that way as well.

I'd say you should check out OpenVPN, but I don't think that it has a means of getting that sort of information either, at least on 1.2.x.

Ouch!!!!