Hi Jim,

On page 433 in the IPsec chapter of the 2.1 draft document, it says "if [the network option] is unchecked, the clients will attempt to send all of their traffic, including Internet traffic, across the tunnel".

Assuming I am ok handling the Internet traffic, wouldn't this bypass any conflicting ip address issues as described in this thread?

–jason

@jimp:

The NAT must be done on the client side before it leaves. The other router can never see the address.

In the case of the LANs overlapping, both sides must do the NAT so they appear to be on different subnets. You can't do all of the NAT on one side in both directions.

Save yourself a ton of time and headaches, just bite the bullet and renumber the side you have more control of now.

I was NATing the wrong IP.  I use a secondary public IP as a virtual IP address in PFSense.  Had to setup a manual outbound NAT for my IPSEC IP's.  So if my IPSEC LAN IP's are 192.168.99.0/24 then I need to setup an outbound NAT for 192.168.99.0/24 to my public IP x.x.x.x.  Once setup I had internet.

Nobody?  Trying to figure out if its a config issue or just suppose to be this way.  Any ideas would be helpful.

Thanks.  8)

Greetings Joe. I had had 0 problems setting up WatchGuard models to connect to pfsense. It is all a vanilla install. Easy as pie. The errosr that you're seeing are strange though.

Sep 27 10:39:39  racoon: ERROR: sendto (Operation not permitted)
Sep 27 10:39:39  racoon: ERROR: sendfromto failed
Sep 27 10:39:39  racoon: ERROR: phase1 negotiation failed due to send error. 66b1e254686db797:0000000000000000
Sep 27 10:39:39  racoon: ERROR: failed to begin ipsec sa negotication.

I've never seen these errors before. Google brings up http://lists.freebsd.org/pipermail/freebsd-net/2012-July/032726.html. Are you sure your settings match? Double check.

Not much help I know, sorry…

forgot to upload the most important thing … IPsec' log

19.jpg
19.jpg_thumb
20.jpg
20.jpg_thumb

If I understood correctly, you want 2 sites (which are not connected directly between them), to use your main office as "hop" to get connected?

If that's the case, it is a routing problem. BranchA doesn't know that it has to route traffic intented to BranchB through your main office. Since you cannot really add static routes that play with IPsec, the solution is to add another Phase2 at BranchA and BranchB (and the main office, of course) which connects the opposite site subnet.

Example: let's say main office is 192.168.0.0/24, BranchA is 192.168.1.0/24 and Branch B is 192.168.2.0/24

On BranchA you add a Phase2 that reads:
Local Subnet: 192.168.1.0/24
Remote Subnet: 192.168.2.0/24

Same (but opposite) on BranchB and main office. You would need as many Phase2's as sites you want connected.

After that it should work. Some time ago I had the same problem and solved it in this way.

Whether you can add or not another Phase2 on the Netgear firewalls, that's a different story. You could also solve this by using NAT before IPsec (which should be available on 2.1, haven't tested it yet), but you won't have full transparent connectivity.

Regards!

And, if possible, openvpn would be a step up…  Unless there is something that prevents it.

Anyone that have a clue what could be wrong here?

Presume you set iPhone VPN configuration "SEND ALL TRAFFIC" to "ON".

This is a good resource for OpenVpn client setup.
http://www.guizmovpn.com/index.php?option=com_agora&task=topic&id=559&Itemid=14

I'm not sure, I don't recall seeing anyone mention it before.

You can open a feature request on redmine (target = future) if you like, but search a little there first to make sure there isn't one already.

The issue has stopped happening, arbitrarily but I'd like to get some input if other people have experienced this, in case it comes back again.

As of 2.1 IPsec can't see it/use it.

That should be corrected in 2.2 (FreeBSD 10)

The solution was to move the nat command higher up the nat table using this command on the ASA5520:

First remove it: no nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_8 NETWORK_OBJ_10.0.0.0_8 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup

The add it again: nat (inside,outside) 2 source static NETWORK_OBJ_10.0.0.0_8 NETWORK_OBJ_10.0.0.0_8 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup

i kinda figured out what the issue was and it may be something to do with the 2.1 release, maybe a feature or gui issue which was causing this problem.

i did get it working. i will post screenshots for both sites in the morning.

EDIT: Sorry, will post SS next week as I need to travel to another city and only have access to cellphone.
anyway the issue was very simple.

In Pfsense Phase1 of my identifier and peer identifier I selected my IP and peer IP tabs as I assumed it would be the default public IPs, but that was not the case. I had to select "IP address" in both tabs and manually give my and peer public IP.

it started working.

there is a lot of search for RV042 - pfsense setting screenshots, so I will make sure to put them up soon.

rgds