Hi cmb, thanks i have to restart the system and then wait for the error. thank you Thomas

You can check the "responder only" on phase 1 to accomplish that part of it.

Anyone? I'm still trying to get this things working…. Thank you!

hi sorry for the delay, the pfense will be deployed under ESX on a DualXeonE5-2630V3 64GB RAM, the server will also contain 2 vm's for media delivery and proxy. I was thinking on only one concentrator,  didnt know of the existence of hardware crypto accelerators. 100mbps of throughput is required over vpn. will this hardware suffice? Server specs: https://secure.iweb.com/en/classicServerFlex/classicServerFlex/?id=38d2233b4574e196403bbacfcf533339 The peers are cisco using vpn ipsec lan-to-lan with x.509 certificates. edit: read about AES-NI, will this boost even if using 3des/sha?

Is that system the default gateway on your LAN? Can you get out to the Internet via that VPN, just not to your LAN?

The MAC of your machine is only locally-significant. Your traffic from the VPN, when it gets to your LAN, is sourced from the LAN NIC MAC of the firewall. Allow its MAC (see Status>Interfaces).

OK Thanks; I will try that. Alfredo.

@dharrigan: Hi, Very similar. I've updated the bug report with the configuration I have, along with a log file of the connection attempt. -=david=- I had the exact same config.

You're sending traffic out, but the other side isn't replying. Likely the other side is blocking your requests, either on the Zywall, or on the destination host (host firewall).

I just disabled AES-NI and rebooted and it works for me as well.  We have dual redundant firewalls as they are production, so I will wait to update the second one entirely until 2.2.4 is ready.  I hope that is soon; disabling AES-NI seems to have a performance impact on our OpenVPN tunnel performance, as I suppose one should expect with AES-CBC. :P

Thanks for the help but I already figure out this problem.

@georgeman: Hi guys, let me outline some issues I have found with RSA IPsec, which I already debugged, found the cause, workarounds and reported the bugs  ;) georgeman, thank you, thank you, thank you! I did suspect it was a data matching problem, thanks for proving it.

https://redmine.pfsense.org/issues/4791

Thanks a lot Delict !!! rigth to the point. It works perfect now, the pfsense box can reach all the other sites subnets.

It is possible to do this. Probably the easiest way is to ensure that you have resolvable DNS hostnames for each public facing endpoint interface. I use a DynamicDNS provider with pfSense. Get this working first. Don't use any public IP addresses in your Phase 1 config unless they are static IP addresses. Use the DynamicDNS hostnames instead. E.g. on one end… Remote Gateway: farfaraway.dynamic.dns My Identifier: Distinguished Name: thisbox.dynamic.dns Peer Identifier: Distinguished Name: farfaraway.dynamic.dns Pre-Shared Key: OurSecret on the other end... Remote Gateway: thisbox.dynamic.dns My Identifier: Distinguished Name: farfaraway.dynamic.dns Peer Identifier: Distinguished Name: thisbox.dynamic.dns Pre-Shared Key: OurSecret The Phase 2 configs will have the IP network addresses of your internal network, typically private addresses. No dynamic dns required here.

cmb, Is there a current howto for setting up a site-to-site IPsec VPN using RSA certs on pfSense 2.2.3? I found my own way of doing this by experimentation and it's been working fine up to 2.2.2 but it I cant get certs to work on 2.2.3 . PSK works OK. I wondered if the problems I have with certs not working on 2.2.3 is actually a misconfiguration that didn't cause a problem in earlier releases.