Hello Look at this thread http://forum.pfsense.org/index.php/topic,24463.msg127009.html#msg127009

Just an update: I managed to get the Phase2 settings correct, (tunnel is up and happy) but the NAT/BINAT doesn't seem to work. I wanted my internal subnet 192.168.2.x NAT to 10.148.20.96 / 27 and use the IPSec tunnel for accessing 10.x.x.x on the clients side. No NAT is taking place, and packets go out on the WAN instead of being NATed and sent through the IPSec tunnel :( So either I'm doing something wrong (most probably) or pfSense is not doing the NAT properly. So, in the end I had to revert to setting up the (so far) unused opt2 network, using the subnet required by my client, configure DHCP to only give out addresses in this subnet range, connect a Wifi Acess Point, and connect the computers which need access to the VPN to this Wifi AP (while still using cable for normal LAN+Internet), and finally setting up static routes on the computers for accessing the 10.x.x.x VPN over the Opt2 interface. Really a shame having to complicate things like this, when it would have been so much more convenient using the NAT capabilities of pfSense. If anybody has any idea of what I did wrong, you're welcome to share  ;) Cheers, Dan

Thank you guys for your answer

Hello, As it happens, I have been getting these messages in my ipsec logs: failed to pre-process ph2 packet [Check Phase 2 settings, networks] but never could figure it out.  I also noticed that on the shrewsoft vpn trace program that Security associations would only show up in "larval" state, and shortly be removed from the table. I have been playing with things and found this thread: http://forum.gta.com/forum/user-community-support/how-to/190-shrewsoft-vpn-client-problem This version of shrewsoft (2.2.2) has an additional thing to configure on the policy tab: change Policy Generation Level to "unique" and it works: the connection establishes correctly and my formerly  "larval" entries change to "mature" and remain in place. If I come back in the next couple of days and close this thread, it is because this solved my problem. –jason

For IPsec, you need to allow: udp/500 (ISAKMP) udp/4500 (NAT-T) ESP You need only allow those from your remote IPsec peers and not the world, unless you use mobile IPsec tunnels.

Hi all, my enviroment is a little different. In my conf I nat to a single address. Is a "one-way" configuration. I never tested the configuration with the bi-nat. (nat of entire network) I confirm that works fine, with nat on single addres, and a fortinet gateway on the other side. I add that works fine with 2 phase2, with different source networks. This is needed to grant access also from openvpn roaming users. Can I help you little more if you send the real configuration and the log with racoon in debug mode. Bye DavideDB

OpenVPN not working… IPsec not working... PPTP not working... No help, no metter. I downgraded to 1.2.3 and it works perfectly...

Thanks for taking the time to walk through it with me.  Much appreciated.

@andmattia: Phase 1 go up ok but when I try to start tunnel on phase 2 it doesn't work ERROR: error message: '"Could not find acceptable proposal $ '. ERROR: notification NO-PROPOSAL-CHOSEN received in informational exchange. Could it be, that some your proposals in phase2 (crypto and hash) are different/wrong? All phase 2 settings should be configured identically …

@artimus: If I block the ip with a fw rule, then it will be blocked.  I need the ip to connect to the remote side, but just not over the vpn. The traffic will only be blocked on the VPN interface. If the traffic was passing in over the WAN or another interface, you could pass the traffic. If it's a routing issue, that could be complicated as a tunnel will trump a local route, but that would be an unusual situation.

Interfaces -> (assign) -> GRE I've never done this on pfSense but I know you can use a GRE tunnel over IPSec to pass broadcast traffic. You may need to play around with the settings a bit and you may need to set up static routes. GRE remote address is the WAN address of the endpoint you are connecting to. GRE tunnel local address is an IP you assign to the local side of the GRE tunnel. Pick a new subnet. GRE tunnel remote address is the IP on the endpoint you are connecting to.

Hello, I've successfully connected 3 FVS318G to a pfSense 2.1 box. First, be sure to have firmare 3.1.1-08 on the FVS318G. Then, choose phase 1 as following on Netgear: Direction: Both Exchange : Aggressive Identifier : depends on your setup, mine is an IP because WAN has a public IP, could be a FQDN if your WAN lies in a private address space Encryption: AES256 Authentication: SHA1 DH Group: 2 DPD: Yes Xauth: none Use the same params on the pfSense box. Also check Phase 2 to have same params as Phase 2 on the pfSense box. Cheers. PS: your subnet mask is wrong on pfSense side PS2: Don't forget to add new firewall rules in IPSEC interface to enable incomming traffic on pfSense.

Most likely, yes, it can be done on a single box. In practice is depends on exactly how you need to handle inbound connections (if there are any). If you NAT everyone to a single public IP inside the tunnel and all of the connections go from you to the far side, then it works fine. If you need to do port forwards on that public IP back to hosts inside your network, then maybe not.

resolved the issue, Verizon had changed our public IP address at midnight without warning or reason.