I have this working one way now.  The server from behind the pfSense box can map drives, copy files, remote desktop to a server behind the Fortigate.  So if that server initiaites the connection everything works.  However, if the server from behind the FortiGate trys to initiate a connection it does not work.

By looking at a tracert, it appears that once the packet gets to the Fortigate, it does not know where to go.  I just get "Request timed out".

I think it is a Fortigate routing issue and I am going to keep fiddling with it.  ???

-John

Well you "could" place pfSense in front of your other default gateway (WAN side), so that all traffic has to go over pfSense.
Or you could add static routes to all your clients which need access to the other site.
But i suppose that's not really what you want ^^

@fastcon68:

check you ipsec rules, icmp may not be allowed to pass.
RC

No, i'm fine passing traffic over the tunnel,

Its when the IPSec tunnel is enabled, i can't pass any traffic from pfSense to any of the IPs assigned to the LAN interface..

For example, any device on the LAN can't ping the pfsense IP of "10.27.0.1" when the ipsec tunnel is up.\

IPSec Tunnel -> pfSense -> LAN Device

So between pfSense and the LAN Device is broken.

Thanks, and I did suggest that to the SQL developer who I am assisting.  My suggestion was to create a DTS package is MySQL and FTP out to the MSSQL, then import that DTS package into MSSQL.  Not sure if MySQL has that capability.  I know that there is only a certain table that the developer needs to pull from MySQL into MSSQL - not entire database.  could you explain exactly how you do it and what methods or scripts helped you?  thanks.

@databeestje

Thanks for the response!

Fine  :D

1.  ok, at least 10 IPSEC partners

2.  can you at least provide another vendor you maybe also using (i.e. Cisco plus model, SonicWall plus model, etc)

Please search also this forum… ipsec works in 1.2 as it should from pfsense to pfsense....

No.
workgroups are based on UDP broadcasts.
Broadcasts wont go over a router.

But you can access windows shares directly via the IP.

So while you cannot access a workgroup, yes you can access windows-shares.

AFAIK, running with the MTU at 1400 should not cause any issues. Your box will have to work slightly harder, but unless you hardware is already running near capacity, it shouldn't be a problem. Ideally, you could get the equipment that is causing the issue fixed and set the MTU back, but this is not always possible. I would trace the route and do some tests. With more specific information, it might be easier to get your ISP to investigate. As for the remote sites, they should be fine with their default MTUs.

Ipcop and pfsense works as it should in 1.2 release. I think you should check you config again…., is your ruleset in pfsense OK?

Got it!  It was a problem with NAT-T on the Cisco side.  Got the remote admin to send me some screenshots and was able to get him to enable NAT-T traversal on his end.  So the current working config is:

Local Subnet –-- pfSense ---- Internet ---- Cisco PIX Firewall ---- Cisco VPN Concentrator ---- Remote Subnet

Thanks for the help!

-THX2000

I am unclear of what you want.  Do you want to send internet traffic through the client vpn connection so that to access the internet you have to do so via the pfsense gateway?

I think NAT-T isn´t working XOR supported in 1.21!

If NAT-T works in 1.21 would be a new information for me…....

Nobody knows if it is possible to connect two servers with NAT'ed WAN addresses ?

if you have multiple dynamic tunnels how would that affect the script?
rc

The tunnel takes care of the routing between the sites of the tunnel. the network 10.1.x.x will know where to find 192.168.200.X. For the 10.2.x.x network you will need to add a static route (no commands just add it in static routes in the GUI) it should look like: subnet 10.1.x.x /16 gateway central office.

Do the same on the 10.2.x.x end and make sure that the rules allow the traffic!