Aye, that may be. We've got a heavily virtual environment so for us its zero marginal cost to spin up another VM for that purpose. Though I am intrigued by OpenVPN. That it can export a setup executable is really cool. I might just go with that instead. Other thoughts?

chflags schg filename If you want to be sure that command changed attributes correctly: ls -lo filename -rw-r–r--  1 root  wheel  schg 193 Aug  1 09:20 filename After, if you need to change it again, it will be sufficient to remove protection attributes with: chflags noschg filename

Do both of your WAN interfaces have the same gateway, perhaps?

I am having the same problem with this, it will not re-establish from CISCO side, no problem from pfsense to CISCO site

I lately had repeated problems with IPsec tunnel (well doing over months), that after the provider did some "service" the tunnel was not functional (no ping, no data passing) for some hours, although the tunnel was successfully established according to racoon protocolls on BOTH sides. Strange, strange, maybe NSA had no capacity to handle more man-in-the-middle? :)

I've put accept on all interfaces and log, but no logging of drooped or accepted udp packets. At closer look to the UDP packets I could see that the frame header has the 802.1Q part with VLANID 0. The old router accepted this packets, but not pfsense.

I'm honestly surprised that they can block OpenVPN. We have ours setup so it tries UDP on a weird port –- If that doesn't work it will revert to TCP port 443 so it is very difficult to distinguish from HTTPS. Even if you can't make a tunnel with SSH, I'm sure you can make an SSH tunnel back to a server that can handle SSH tunnels. Honestly we stopped handling OpenVPN on PFSense due to everyone being disconnected when the firewall fails over.

@craggy: I've tried everything I can think of but no way can I get this to work. no matter what I do I cant get a second phase 2 to come up when it uses a subnet that doesn't directly exist on a wan or lan interface. is this a bug in pfsense 2.1 or am I doing something stupid? please can someone help, I really need to get this working. Another way to do this would be to use a larger subnet on the first Phase 1 of the WAN. I.E. You have 3 networks: 192.168.100.0/24 A 192.168.101.0/24 B 192.168.102.0/24 C So when you setup the phase 2 for A to B, on the B side you set the remote WAN to 192.168.0.0/16

Worked perfectly! A thousand thanks for your help! Kind regards Beach

First of all turn OFF the Windows firewall, then test something.

Hmm, that looks like a fairly dead end… Well, i'll have to go with openVPN then. Thanks.

Hi Daniel, please clarify your setup. Do you have a dual WAN box? Do you have WAN1 as default gateway and want IPSEC tunnels to go through WAN2? Regards,   Corrado

**FIXED ** I got the issue on 2 tunnels out of a dozen. Apart log flood, the tunnels get stuck after a few weeks. The affected tunnels originated from the same ISP. I fixed the issue disabiling NAT-T. UDP encapsulation of IPSEC (NAT-T) kicks in as soon as NAT is detected, despite many SOHO routers can forward ESP when properly configured. I suggest to always try IPSEC without NAT-T first. If it works you save 8 bytes / packet (no extra UDP header) and lower the chances to get packets fragmentations (seems IPSEC MTU is not adjusted subtracting 8 bytes when using NAT-T). Regards,   Corrado

Hi Silvertip, if I understand you mean that when I disable a tunnel, save changes, re-enable and save changes again I'm actually bouncing all tunnels twince. If so I agree it is faster to restart Racoon once.

Did you create a firewall rule on the pFsense on the IPSec tab?

In the pfSense cert manager you can export the ca+cert+key as a .p12 natively. It's the third down arrow ("v") in the cert manager list. The author of the Shrew Soft client (mgrooms) used to be a pfSense dev and last I heard he's pretty responsive and willing to fix things.

You just set the phase 2 to match the node IPs on either end. In 2.1 you can do the specify an address to NAT your internal node to below where you enter the real ip.

You do not need public cert I don't see in your environment AD CS, and this is bad configuration AD+VPN+File Sharing (for users files) on one server, also physical AD this is very bad solution, today you can clone AD! Use microsoft tool CMAK, with this tool you can create Installer for VPN user connection and all needed scripts, adding certs, registry modifications, routes etc. Users just need to install that. Don't see a problem using pfSense + Srv 2012 VPN L2TP/IPSec + Adding registry keys using CMAK (Connection Manager Administration Kit) Or pfSense + Srv 2012 + SSTP VPN + Adding Root CA certificate using CMAK (Connection Manager Administration Kit) CMAK http://technet.microsoft.com/en-us/library/cc726035.aspx In server 2012 R2 you can setup Work Folders, this is exactly for your needs…