@artimus:

If I block the ip with a fw rule, then it will be blocked.  I need the ip to connect to the remote side, but just not over the vpn.

The traffic will only be blocked on the VPN interface. If the traffic was passing in over the WAN or another interface, you could pass the traffic. If it's a routing issue, that could be complicated as a tunnel will trump a local route, but that would be an unusual situation.

Interfaces -> (assign) -> GRE

I've never done this on pfSense but I know you can use a GRE tunnel over IPSec to pass broadcast traffic. You may need to play around with the settings a bit and you may need to set up static routes.

GRE remote address is the WAN address of the endpoint you are connecting to.
GRE tunnel local address is an IP you assign to the local side of the GRE tunnel. Pick a new subnet.
GRE tunnel remote address is the IP on the endpoint you are connecting to.

Hello,

I've successfully connected 3 FVS318G to a pfSense 2.1 box.

First, be sure to have firmare 3.1.1-08 on the FVS318G.

Then, choose phase 1 as following on Netgear:

Direction: Both Exchange : Aggressive Identifier : depends on your setup, mine is an IP because WAN has a public IP, could be a FQDN if your WAN lies in a private address space Encryption: AES256 Authentication: SHA1 DH Group: 2 DPD: Yes Xauth: none

Use the same params on the pfSense box.
Also check Phase 2 to have same params as Phase 2 on the pfSense box.

Cheers.

PS: your subnet mask is wrong on pfSense side
PS2: Don't forget to add new firewall rules in IPSEC interface to enable incomming traffic on pfSense.

Most likely, yes, it can be done on a single box. In practice is depends on exactly how you need to handle inbound connections (if there are any).

If you NAT everyone to a single public IP inside the tunnel and all of the connections go from you to the far side, then it works fine. If you need to do port forwards on that public IP back to hosts inside your network, then maybe not.

resolved the issue, Verizon had changed our public IP address at midnight without warning or reason.

@migsutu:

No settings have been changed on either router. Where should I begin to look for a problem(I assume one of the logs will clue me in)and what should I be looking for to pinpoint the issue.

I don't have any suggested causes, but yes, look through ipsec.log for any problems starting around the time you noticed the issue.  I assume you were pinging by ip rather than hostnames, right, to rule out any resolver issues?

Probably the logs shown on the gui don't go back far enough, so open a shell session and 'clog /var/log/ipsec.log | less'.  Page through system.log and routing.log for clues as well

Hi, I've the same problem here. I can access port https, smtp, pop3 and ping on remote side but no http (the remote side doesn't see any incoming http packet). I've no specific ipsec rule, everything is allowed. I use port 800 for local Squid proxy. Transparent proxy is checked in Squid configuration.

PF2.0.1
Squid 2.7.9v4.3.3
Squidguard 1.4.4v1.9.3

@nothing:

I guess my crystal ball is broken and I'm unable to see your configuration :)
Screenshots and config samples please :)

hi, do you have working ipsec tunnels between pfsense 2.1 and openbsd ?
As already said same tunnels to openbsd boxes worked fine with pfsense 2.0, while ipsec tunnels to cisco routers continue to work

openbsd sample:
ike active esp from $local_network to $remote_network local $local_peer_wifi peer $remote_peer_wifi main auth hmac-sha1 enc blowfish group modp1024 quick auth hmac-sha1 enc blowfish group modp1024 psk $key
(also tried to add life(time) for the two phases)

pfsense side is simpler, just putting right data in fields, using IPs as identifiers

Giacomo

Hi jimp,

Thanks, I had misconfigured it. I bought the $99 subsciption and read through the draft of the new book and managed to fix it that way.

I have helped customers configure it since the feature first hit the tree and it's worked well. There isn't much to go wrong especially with binat. many:1 NAT works but only with connection going in the outbound direction. binat works fine with connections in or out.

There isn't much to it, really. Just set the NAT subnet to be whatever you want your side to appear as when the packets reach the remote site.

Note that NAT+IPsec in this way only helps if your LAN subnet conflicts with a remote network that you aren't trying to reach directly. It won't let you reach two identical remote networks (they would need to do NAT on that side)

Firewall rules on IPsec tab still refer to your local/LAN IPs as the destination.

@mikee:

Then please edit the Subject and mark it as SOLVED for others to be able to benefit from your experience. Thanks.

I guess that's something thread starter have to do. His setup is different from mine and I don't see that he has found a solution yet.

Just another helpful tip should anyone encounter it.

If you use the NTP service, and it stalls, the AT&T MicroCell will stop working, but the Sprint MicroCell will keep working.  Apparently AT&T's unit demands a time sync.  The NTP service might say it's running but a packet capture will show a flood of unanswered port 123 traffic on the LAN.

How did the NTP service stop working, you ask?  Since NTP service beats Unbound to the clock on bootup, NTP never starts unless manually started. The log reports, NTP could not resolve hostname.  So I figure I'll use an IP addy for the NTP server address so it won't have to resolve.  Well can you believe time.nist.gov IP addy changed a couple days ago?  This locked up the NTP service, which broke all Microcells on the network.

Nice eh…

ver 2.1R-64b

You REALLY don't like OpenVPN right? :P

Let's put this very simple:

If you want to be able to selectively route internet traffic through the link, **forget about IPsec ***

If you really want to use IPsec, you will be able to access the VPS and its subnet with no problems. Just create a regular Phase1, and then an appropriate Phase2 which links the subnets. Allow all traffic on the IPsec "interface" on the firewall rules, and you are done

Regards!

Disclaimer, just to be technically correct, hehe: actually you could route some internet traffic if you manage to know the certain IP address/ranges that those sites utilize, by creating a Phase2 on both firewalls, with that subnet. Even if you could do it, it will be waay too cumbersome for something that you can easily achieve with an OpenVPN tunnel

You may post your cisco config if you want someone to be able to help