Have a look at http://pfsense.com/mirror.php?section=tutorials/mobile_ipsec/

We did some IPSEC improvements in RC2 but they shouldn't affect establishing of a tunnel. I just wondered what your specs are as we had some funny effects with 64 MB RAM hardware at the hackathon where racoon exited too due to full memory but that shouldn't be the case with your boxes then.

It's only debug output.

Yep, you can.

I'll try to test this option soon with the latest build.

Actually, the openvpn trafic orignating from pfSense cannot take advantage of the load balancer.
In order to have a functionnal(FAIL-OVER ONLY) setup on a single box, here's what we did:
If the tunnel goes down, add a route to direct OpenVPN trafic to the other gateway (ISP2)
In the openvpn client configuration, add to the custom options:
up-restart;up /var/etc/yourscript.sh

Idealy, the script should be linked to the load balancer (for the monitor IPs)
So, there is follow-up in http://forum.pfsense.org/index.php/topic,1650.0.html for the load balancer scripting…

mtoadmin

I really don't know, haven't played around with such a config yet.

We don't support old versions. Upgrade to the latest RC1 snapshot. If the problem still exists raise your voice again. The version you are using is outdated since month and a lot of things have been changed that might resolve your issue.

See http://forum.pfsense.org/index.php?topic=1580.0 for a similiar scenario.

Is this something that can be done for a fee?  Is there an alternative solution?  This would be a very helpful feature.

Thanks

Yeah, had sth like the mentioned question at some customers location. That was really weird, as you sat in the net of, let's say #2 and #1 transferred large amounts of data thorugh #2 to subnet #3. The guys'n'gals at location #2 always wondered, why their net connection is that damn lame ;)

For the sake of bandwith you should really consider Hobas recommendation :)

Is this going to be standaard feature in Pfsense 1.0?

@sullrich:

It may or may not be.

Try to setup an ipsec tunnel using x509 certificates (preshared key works fine), if it works for you is a my misconfiguration, if not is a bug

@cheech:

Running with floppy config a tunnel went down and would not come back up. I checked the configs and somehow the lifetimes had been cleared on both sides. Not a user error I have saved the configs and they clearly specify the key lifes.

The storage medium of config.xml has absolutely nothing to do with this.

@cheech:

WRV54G will not re-establish tunnels to pfsense if the tunnel goes down without resetting the tunnel on this Linksys device. It has no problem re-establishing tunnel to other devices. I'm going to replace this with a pfsense box anyway…

System -> Advanced -> Prefer old IPsec SAs  -> check it.

No support lol. I am more interested in learning/understanding how this works or doesn't work. I setup another VPN at home and this works on and off. I realize this is nothing to do with pfsense and is a general networking/windows issue. What I come up with is that the application relies on the browser service. If I do a net view and see all the PC's then everything is fine but this is up an down for some reason:

In addition to acting as the local master browser, the primary domain controller also acts as the domain master browser, which ties subnets together and allows browse lists to be shared between master and backup browsers on separate subnets. This is how browsing is extended to function beyond the local subnet. Each subnet functions as a separate browsing entity, and the domain master browser synchronizes the master browsers of each subnet. In a Windows-only network, browsing cannot function across subnets unless a Windows NT/2000 PDC exists on the network.

Most VPN routers do allow the use of a FQDN to identify an endpoint. The domain would have to be hijacked + the key obtained. Is specifying an IP only and not FQDN a "feature" of pfsense security or just something that hasn't been implimented / considered for implimentation? Fortunately my dynamic IP's stay until modem is reset. I might just replace those devices with pfsense boxs anyway…