I figured it out. Thanks for the help…..

In the current implementation, no.

If you want multiple separate security levels for mobile users, you'll need OpenVPN

Here you go:

[2.1-RELEASE][admin@sipsense.localdomain]/root(3): grep esp /tmp/rules.debug
pass  in  quick  on $WAN reply-to ( rl1 24.118.172.1 ) inet proto esp  from 63.238.x.x to any keep state  label "USER_RULE: Allow ESP from XRD ASA"
pass out on $WAN  route-to ( rl1 24.118.172.1 )  proto esp from any to 63.238.x.x keep state label "IPsec: XRD ASA - outbound esp proto"
pass in on $WAN  reply-to ( rl1 24.118.172.1 )  proto esp from 63.238.x.x to any keep state label "IPsec: XRD ASA - inbound esp proto"

@mrcola:

I have two PfSense/Monowall connected using IPSec VPN. I am wondering if I can use remote gateway as the default gateway

site A LAN 192.168.50.0/24, default gateway 192.168.50.1, WAN example1.com
site B LAN 192.168.60.0/24, default gateway 192.168.60.1, WAN example2.com

site A's machines can access 192.168.60.0/24 and vice versa

Is it possible for me to set default gateway on some of the site A's machines to 192.168.60.1

Thanks and Regards RW

Hi RW,
If you set a "local" user to the gateway on the "remote" network you may loose the ability to talk on the network. Are you attempting to force some clients to route out of the remote network while still having some local clients rout out of their local network?

If so, just wondering.. What do you intend to achieve from this?

-E

@Meezy:

Hi,

I installed and configured Pfsense with a VPN tunnel between two site.
I use IPsec, it correctly fontionne for several months ..

But in recent weeks, I have concerns .. VPN pass off twice a day. And I have to force a restart racoon service for it working again.

I have some log:

racoon: ERROR: pfkey UPDATE failed: Invalid argument
racoon: ERROR: such policy already exists. anyway replace it: xxx.xxx.xxx.xxx[0] xxx.xxx.xxx.xxx[0] proto=any dir=in
racoon: INFO: unsupported

racoon: INFO: received broken Microsoft ID: FRAGMENTATION
racoon: INFO: begin Aggressive mode.
racoon: [Self]: INFO: respond new phase 1 negotiation: [xxx.xxx.xxx.xxx][500]<=>[xxx.xxx.xxx.xxx][500]
racoon: [xxx.xxx.xxx.xxx] ERROR: phase1 negotiation failed.
racoon: [xxx.xxx.xxx.xxx] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
racoon: [xxx.xxx.xxx.xxx] ERROR: failed to get valid proposal.
racoon: ERROR: no suitable proposal found.
racoon: [xxx.xxx.xxx.xxx] INFO: Selected NAT-T version: RFC 3947

Hi Meezy,
Double check your settings on both sides of the tunnel for lifetime.
Also make sure both sides are set in phase 1 for either Main or Aggressive.

I have had something similar like this happen where as long as one site would initiate a tunnel would still work even if there was a mismatch of Main/Aggressive.

-E

And now after 2 days that same server only has 2 tunnels up.

Is there perhaps some timeout setting for an Ipsec tunnel or some routine which should automatically try bring the tunnel back up if it drops off?

Perhaps ipsec+SPD is broke.  I have tried every way to target a specific port, and no workey.  Plus, pfsense forces gloves on to do any low level stuff, using the xml to rewrite the rules on racoon restart.

Rapidly losing faith in pfsense…

What does your system log show at the time that happens?

Last bump, I was able to resolve this, so I figured I'd leave the solution in case it helps anyone else in the future.

The issue, as suspected, was routing:  packets didn't know, once they left the office through ipsec, how to get back.  I needed to go back into the ipsec setup and pass the new OpenVPN virtual tunnel subnet through as additional phase2 entries.  Once I did this, everything started working smoothly, and we no longer have problems.

It means you have a settings mismatch. The other side is attempting to inform you of that but it's sending a message in a format that racoon can't interpret.