@migsutu: No settings have been changed on either router. Where should I begin to look for a problem(I assume one of the logs will clue me in)and what should I be looking for to pinpoint the issue. I don't have any suggested causes, but yes, look through ipsec.log for any problems starting around the time you noticed the issue.  I assume you were pinging by ip rather than hostnames, right, to rule out any resolver issues? Probably the logs shown on the gui don't go back far enough, so open a shell session and 'clog /var/log/ipsec.log | less'.  Page through system.log and routing.log for clues as well

Hi, I've the same problem here. I can access port https, smtp, pop3 and ping on remote side but no http (the remote side doesn't see any incoming http packet). I've no specific ipsec rule, everything is allowed. I use port 800 for local Squid proxy. Transparent proxy is checked in Squid configuration. PF2.0.1 Squid 2.7.9v4.3.3 Squidguard 1.4.4v1.9.3

@nothing: I guess my crystal ball is broken and I'm unable to see your configuration :) Screenshots and config samples please :) hi, do you have working ipsec tunnels between pfsense 2.1 and openbsd ? As already said same tunnels to openbsd boxes worked fine with pfsense 2.0, while ipsec tunnels to cisco routers continue to work openbsd sample: ike active esp from $local_network to $remote_network local $local_peer_wifi peer $remote_peer_wifi main auth hmac-sha1 enc blowfish group modp1024 quick auth hmac-sha1 enc blowfish group modp1024 psk $key (also tried to add life(time) for the two phases) pfsense side is simpler, just putting right data in fields, using IPs as identifiers Giacomo

Hi jimp, Thanks, I had misconfigured it. I bought the $99 subsciption and read through the draft of the new book and managed to fix it that way.

I have helped customers configure it since the feature first hit the tree and it's worked well. There isn't much to go wrong especially with binat. many:1 NAT works but only with connection going in the outbound direction. binat works fine with connections in or out.

There isn't much to it, really. Just set the NAT subnet to be whatever you want your side to appear as when the packets reach the remote site. Note that NAT+IPsec in this way only helps if your LAN subnet conflicts with a remote network that you aren't trying to reach directly. It won't let you reach two identical remote networks (they would need to do NAT on that side) Firewall rules on IPsec tab still refer to your local/LAN IPs as the destination.

@mikee: Then please edit the Subject and mark it as SOLVED for others to be able to benefit from your experience. Thanks. I guess that's something thread starter have to do. His setup is different from mine and I don't see that he has found a solution yet.

Just another helpful tip should anyone encounter it. If you use the NTP service, and it stalls, the AT&T MicroCell will stop working, but the Sprint MicroCell will keep working.  Apparently AT&T's unit demands a time sync.  The NTP service might say it's running but a packet capture will show a flood of unanswered port 123 traffic on the LAN. How did the NTP service stop working, you ask?  Since NTP service beats Unbound to the clock on bootup, NTP never starts unless manually started. The log reports, NTP could not resolve hostname.  So I figure I'll use an IP addy for the NTP server address so it won't have to resolve.  Well can you believe time.nist.gov IP addy changed a couple days ago?  This locked up the NTP service, which broke all Microcells on the network. Nice eh… ver 2.1R-64b

You REALLY don't like OpenVPN right? :P Let's put this very simple: If you want to be able to selectively route internet traffic through the link, **forget about IPsec *** If you really want to use IPsec, you will be able to access the VPS and its subnet with no problems. Just create a regular Phase1, and then an appropriate Phase2 which links the subnets. Allow all traffic on the IPsec "interface" on the firewall rules, and you are done Regards! Disclaimer, just to be technically correct, hehe: actually you could route some internet traffic if you manage to know the certain IP address/ranges that those sites utilize, by creating a Phase2 on both firewalls, with that subnet. Even if you could do it, it will be waay too cumbersome for something that you can easily achieve with an OpenVPN tunnel

You may post your cisco config if you want someone to be able to help

Hi Jim, On page 433 in the IPsec chapter of the 2.1 draft document, it says "if [the network option] is unchecked, the clients will attempt to send all of their traffic, including Internet traffic, across the tunnel". Assuming I am ok handling the Internet traffic, wouldn't this bypass any conflicting ip address issues as described in this thread? –jason @jimp: The NAT must be done on the client side before it leaves. The other router can never see the address. In the case of the LANs overlapping, both sides must do the NAT so they appear to be on different subnets. You can't do all of the NAT on one side in both directions. Save yourself a ton of time and headaches, just bite the bullet and renumber the side you have more control of now.

I was NATing the wrong IP.  I use a secondary public IP as a virtual IP address in PFSense.  Had to setup a manual outbound NAT for my IPSEC IP's.  So if my IPSEC LAN IP's are 192.168.99.0/24 then I need to setup an outbound NAT for 192.168.99.0/24 to my public IP x.x.x.x.  Once setup I had internet.

Nobody?  Trying to figure out if its a config issue or just suppose to be this way.  Any ideas would be helpful. Thanks.  8)

Greetings Joe. I had had 0 problems setting up WatchGuard models to connect to pfsense. It is all a vanilla install. Easy as pie. The errosr that you're seeing are strange though. Sep 27 10:39:39  racoon: ERROR: sendto (Operation not permitted) Sep 27 10:39:39  racoon: ERROR: sendfromto failed Sep 27 10:39:39  racoon: ERROR: phase1 negotiation failed due to send error. 66b1e254686db797:0000000000000000 Sep 27 10:39:39  racoon: ERROR: failed to begin ipsec sa negotication. I've never seen these errors before. Google brings up http://lists.freebsd.org/pipermail/freebsd-net/2012-July/032726.html. Are you sure your settings match? Double check. Not much help I know, sorry…