forgot to upload the most important thing … IPsec' log [image: 19.jpg] [image: 19.jpg_thumb] [image: 20.jpg] [image: 20.jpg_thumb]

If I understood correctly, you want 2 sites (which are not connected directly between them), to use your main office as "hop" to get connected? If that's the case, it is a routing problem. BranchA doesn't know that it has to route traffic intented to BranchB through your main office. Since you cannot really add static routes that play with IPsec, the solution is to add another Phase2 at BranchA and BranchB (and the main office, of course) which connects the opposite site subnet. Example: let's say main office is 192.168.0.0/24, BranchA is 192.168.1.0/24 and Branch B is 192.168.2.0/24 On BranchA you add a Phase2 that reads: Local Subnet: 192.168.1.0/24 Remote Subnet: 192.168.2.0/24 Same (but opposite) on BranchB and main office. You would need as many Phase2's as sites you want connected. After that it should work. Some time ago I had the same problem and solved it in this way. Whether you can add or not another Phase2 on the Netgear firewalls, that's a different story. You could also solve this by using NAT before IPsec (which should be available on 2.1, haven't tested it yet), but you won't have full transparent connectivity. Regards!

And, if possible, openvpn would be a step up…  Unless there is something that prevents it.

Anyone that have a clue what could be wrong here?

Presume you set iPhone VPN configuration "SEND ALL TRAFFIC" to "ON". This is a good resource for OpenVpn client setup. http://www.guizmovpn.com/index.php?option=com_agora&task=topic&id=559&Itemid=14

I'm not sure, I don't recall seeing anyone mention it before. You can open a feature request on redmine (target = future) if you like, but search a little there first to make sure there isn't one already.

The issue has stopped happening, arbitrarily but I'd like to get some input if other people have experienced this, in case it comes back again.

As of 2.1 IPsec can't see it/use it. That should be corrected in 2.2 (FreeBSD 10)

The solution was to move the nat command higher up the nat table using this command on the ASA5520: First remove it: no nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_8 NETWORK_OBJ_10.0.0.0_8 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup The add it again: nat (inside,outside) 2 source static NETWORK_OBJ_10.0.0.0_8 NETWORK_OBJ_10.0.0.0_8 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup

i kinda figured out what the issue was and it may be something to do with the 2.1 release, maybe a feature or gui issue which was causing this problem. i did get it working. i will post screenshots for both sites in the morning. EDIT: Sorry, will post SS next week as I need to travel to another city and only have access to cellphone. anyway the issue was very simple. In Pfsense Phase1 of my identifier and peer identifier I selected my IP and peer IP tabs as I assumed it would be the default public IPs, but that was not the case. I had to select "IP address" in both tabs and manually give my and peer public IP. it started working. there is a lot of search for RV042 - pfsense setting screenshots, so I will make sure to put them up soon. rgds

Its would simultaneously be cool and uncool if pfsense had a openvpn package GUI that could be presented to the world that would allow a user based on their credentials to login and download a config file for their account. Some people really want to allow this, even though its not the most secure way to roll.  Brings the security of the VPN down to a password.

If you messed up the settings on the manual outbound NAT for port 500, that would do it. You need to have a setting at the very top to pass port 500 as static port.  I had many subnets, so I put a rule in to pass a /16 as static on that port to take care of all the /24s.  That rule should have been autogenerated, but it would be very easy to mess it up or to put in a rule before it that breaks it.

Thanks for your reply, was away from my machine. Settings are IDENTICAL, like I said it only happens for 1 particular watchguard.  Funny thing is I had to change the NICS out due to some interface errors 6 weeks or so ago, prior to that swap the tunnel never dropped ( I think because the tunnel had restricted traffic ).  Once I changed that NIC, the errors cleared and the tunnel had more traffic on it, now bringing that firewall down randomly. Firewall is not identical, I started updating them one by one a day or so ago. ISPs, nothing has changed. Tunnel shows up in PFSENSE, but no pings are successful.  I can get into the Watchguard however, from another location.  IE, no ping from the PFSENSE box to the down watchguard, but if I am in another watchguard I can ping the "down" firewall just fine.  Very odd and frustrating. Going to clear the states tonight. Once again thanks for your response, not sure what else I can check ***Went down this AM. Sep 5 05:56:12 racoon: [site1 to site2]: [66.185.28.115] INFO: DPD: remote (ISAKMP-SA spi=d8bd5fa5f02159cb:2d3df88062dc7094) seems to be dead. Sep 5 05:55:37 racoon: [site1 to site2]: INFO: ISAKMP-SA established 78.185.55.234[500]-66.185.28.115[500] spi:8c610366f1e444b6:e167895836b7b267 Sep 5 05:55:37 racoon: INFO: NAT not detected Sep 5 05:55:37 racoon: INFO: NAT-D payload #1 verified Sep 5 05:55:37 racoon: [site1 to site2]: [66.185.28.115] INFO: Hashing 66.185.28.115[500] with algo #2 Sep 5 05:55:37 racoon: INFO: NAT-D payload #0 verified Sep 5 05:55:37 racoon: [Self]: [78.15.55.234] INFO: Hashing 78.15.55.234[500] with algo #2 Sep 5 05:55:37 racoon: INFO: Adding remote and local NAT-D payloads. Sep 5 05:55:37 racoon: [Self]: [78.15.55.234] INFO: Hashing 78.15.55.234[500] with algo #2 Sep 5 05:55:37 racoon: [site1 to site2]: [66.185.28.115] INFO: Hashing 66.185.28.115[500] with algo #2 Sep 5 05:55:37 racoon: [site1 to site2]: [66.185.28.115] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02

bumping this thread, hoping we can get resolution I'm seeing the same error, I've got multiple tunnels up but I'm having disconnect issues with them.  The SAD entires still appear with setkey -D but the counters show no traffic coming from the remote site.  The other site is not a racoon/pfsense device. Sep  4 08:34:44 vpn racoon: [184.71.132.154] ERROR: delete payload with invalid doi:0. Sep  4 08:48:45 vpn racoon: [aaa.aaa.aaa.aaa] ERROR: unknown Informational exchange received. Sep  4 11:10:39 vpn racoon: ERROR: phase1 negotiation failed due to time up. 4da0a464cfd021e5:d86e8547b43ac0af Sep  4 12:56:54 vpn racoon: [aaa.aaa.aaa.aaa] ERROR: unknown Informational exchange received. Sep  4 13:48:59 vpn racoon: ERROR: pfkey DELETE received: ESP me.me.me/me[500]->aaa.aaa.aaa.aa[500] spi=246925167(0xeb7c76f) Sep  4 13:48:59 vpn racoon: ERROR: no iph2 found: ESP aaa.aaa.aaa.aaa[500]->me.me.me.me[500] spi=199400304(0xbe29b70) Sep  4 13:49:10 vpn racoon: ERROR: no iph2 found: ESP me.me.me.me[500]->aaa.aaa.aaa.aaa[500] spi=166831041(0x9f1a3c1) Sep  4 13:51:16 vpn racoon: ERROR: no iph2 found: ESP me.me.me.me[500]->bbb.bbb.bbb.bbb[500] spi=1807220792(0x6bb80038) Sep  4 13:51:16 vpn racoon: ERROR: no iph2 found: ESP bbb.bbb.bbb.bbb[500]->me.me.me.me[500] spi=36532152(0x22d6fb8) Sep  4 13:55:02 vpn racoon: ERROR: pfkey DELETE received: ESP me.me.me.me[500]->ccc.ccc.ccc.ccc[500] spi=187913932(0xb3356cc) Sep  4 13:55:02 vpn racoon: ERROR: no iph2 found: ESP ccc.ccc.ccc.ccc[500]->me.me/me/me[500] spi=213876149(0xcbf7db5) Here's one of my racoon.conf entires for Site A remote aaa.aaa.aaa.aaa {         exchange_mode main;         lifetime time 28800 seconds;         proposal {                 encryption_algorithm 3des;                 hash_algorithm sha1;                 authentication_method pre_shared_key;                 dh_group 2;         }         generate_policy off; } sainfo address 172.29.0.0/28 any address 192.168.0.0/23 any {         pfs_group 2;         lifetime time 28800 seconds;         encryption_algorithm 3des;         authentication_algorithm hmac_sha1;         compression_algorithm deflate; }

Have you checked here? http://doc.pfsense.org/index.php/IPsec_Troubleshooting

That only works on 2.1, and on 2.1, a gateway group will show up as an interface choice for the tunnel.