Anyway to tell pfsense to just reconnect if a failure happens?

@breakaway:

Hello,

I have 192.168.254.0/24 at Site A, and 192.168.253.0/24 at Site B.

Site A pfSense has 3 interfaces.

WAN – Static IP from my ISP
LAN -- 10.0.0.0/24
OPT1 -- 192.168.254.0/24

Site B pfSense has 4 interfaces

WAN -- static IP from my ISP
WAN2 -- static IP from my ISP
LAN -- internal stuff (not relevant to this)
OPT1 -- 192.168.253.0/24

I've got a tunnel up between OPT1 (Site A) <-> OPT1 (Site B)

I am wanting all traffic that goes into OPT1 at Site A to be directed through the IPSEC tunnel to OPT1 at Site B. Site B contains NAT rules to allow 192.168.253.0/24 to access the internet.

What sort of settings do I need on the tunnel @ Site A pfSense to make this happen?

PS, I've found a guide on how to send ALL traffic through the IPSEC tunnel but this is not what I want – I just want traffic out of OPT1 to go through the IPSEC tunnel.

Out of curiosity, have you tried setting up an additional phase 2 entry on the tunnel config at Site A to Site B for Source=OPT1 Net, Dest=Net 0.0.0.0/0?

In theory this would tell all the traffic at Site A that is not local to route through the tunnel. On the other end, you likely don't even need a complementary Phase 2 entry.

If you do this, keep in mind that you may need a firewall rule for IPSec traffic at Site B to allow this traffic in order for it to work.

I corrected an important mistake in my last post.  It is the overview ipsec page that shows the incorrect IP (shows the IP Alias instead of the Carp IP).  The SAD page shows the correct IP (Carp IP).

my problem is solved.

The problem was the opening of the ports on the FW for the ESTABLISHMENT VPN . Port 500 and 4500 was open for the VPN but other port were necessary so the traffic did not pass but the VPN was seen as up .

Thanks heaps!! that worked perfectly! ;D

NAT has nothing to do with it. NATing IPsec connections is possible, but it does nothing for this scenario.

It'd have to be routed in a means that isn't currently supported with IPsec. Might be possible with MLPPP over OpenVPN.

@filnko:

Have you tried today's snapshots?
There have been some recent problems with IPsec under 2.2

Sure enough, one more reboot - did it.  That's exactly what seems to have cured my issue, for whatever reason the NAT statement solved itself after a second reboot.

THANK YOU.

At both ends I have allow all rules for IPv4 and IPv6 traffic.
From the PBX I can ping the phone, and reach it's web interface.

Didn't test from the clients pc on main office Side yet though. Can try that tomorrow.

it is the field "Peer identifier" select  "IP adress" and enter Remote ID

i have found the solution. The hint in this topic was a great help regarding the NAT. After doing as he advised, it worked straight away

https://forum.pfsense.org/index.php?topic=81573.0