yes i did (ping to remote gateway lan adress) but only from branch to HQ because branch has no full time connection

Hello,

I've checked the release notes and I think that IPSec NAT-Traversal (feature you need here) is only supported in version 2.0.

Hope this helps.

I have run into this same issue on my 6 site vpn setup I can access all of the sites from my main location and from some of the sites I cannot access the main site..

I only have pfsense at the main location so I believe its something to do with firewall rules.

@dotdash:

I'm out of ideas at this point. Why don't you post the <ipsec>section of your config?</ipsec>

Because i have lot of IPSec config, i'm sure about this part and i checked it 100 times…
I'm trying to know why the conf file doesn't update.

I have been searching an searching the posts.  I will rephrase and ask this question. I also thank anyone that will reply and give me some kind of hint.

Can you connect via ipsec tunnel this setup

main site- pfsense has external ip address normal tunnel setup. Behind this is 2 class c ip address ranges connected to a 3550xl cicso with routing turned on. The internal side of the pfsense is on a separate class c that is also connected to the 3550xl.  The tunnel or tunnels need to route traffic from the 2 class c networks on the 3550xl through to the other side of the tunnel.

remote site-pfsense is behind a provider router(minimal changes can be done to this router), this router also has forced NAT. The pfsense has a class c wan address(192.168).  It also has class c interall addresses.  The internal flat network needs to connect to the other networks at the main site via the tunnel(s).

I have static routes on the main site pfsense so the 2 class c internal networks can reach the internet. The remote site works normally with the normal settings, however i cannot get the tunnel to connect.  I have done a test setup with 2 external ip addresses with the same hardware and the tunnel works.

Can you tell me if it is possible to setup a tunnel at a remote site that is behind a router with NAT and the remote site pfsense has a class c wan address?

Here is an error from the logs from the main site.

1 10. 009466 rule 33/0(match): block in on fxp1: (tos 0x0, ttl 64, id 11377, offset 0, flags [none], proto: UDP (17), length: 320) 192.1xxx.xxx.xxx > xxx.xxx.xxx.xxx: [|isakmp]

If I use my IP address, I am able to get it connect without a problem, however since my IP changes I need to be able to use my DDNS.  My boss actually caught this, the 'unya' is actually part of my DDNS name of: dbUNYArd.homeip.net.  Is there something I am missing here?

I've done a couple of pfSense-PIX tunnels and haven't had problems.
I generally use agressive/3DES/SHA and set the PFS group at 2.
You might also want to post the crypto section of your PIX config.

I might add after doing a little testing and some research that it worked perfectly for months and months on AT&T 6 meg / 768k DSL and I upgraded to Uverse 10 meg / 1.5 meg and thats when I started having the problems. I am not sure why but its like I have one way communication and there is something wrong with the phase 2.

Creating only a one way tunnel worked for me.

OK.

I don't know if you can make a lab to test IPSec between ISA and pfSense without NAT…

Last but not least, I think NAT-T is supported since v1.3 on pfSense... Right?

I've been playing with this again today, and discovered that I must have broken something last time.

I'm now seeing RIPv2 advertise packets when I sniff, but they don't contain any reference to the IP range at the other end of my IPSec tunnel.

Here's an example packet, decoded by Wireshark.

No.    Time        Source                Destination          Protocol Info
      7 180.006426  10.0.1.250            224.0.0.9            RIPv2    Response

Frame 7 (106 bytes on wire, 106 bytes captured)
    Arrival Time: Oct 29, 2008 16:43:18.834316000

@moffl:

Sorry:

I worded it wrong it is actually configured on the home side for the remote lan subnet

So if I understand your config:

Remote site:
You have a rule permitting anything. So, something like this:
any -> any permit.

Home site:
You have a rule permitting anything from you LAN. So, something like this:
Hom LAN -> any permit

Am I right? If so, can you ping the server you're trying to reach with VNC?