Yea i do! Just ring me!! :-)

Vmware always! :-)

You need to go into detail my friend.. Screen shots would help alot, to get more responses

I can explain how to do it, as i am have done it. But wouldnt it just be easier to establish another IPsec tunnel to Site 3 from Site 1?

What is the gateway of your 0.0 computers using? It should be pfsense… not the router... The router should be a route for pfsense to get out to the internet. Clients shouldnt really be able to see the router at all accept for Pfsense. IF your router can ping then the internal IP hop is missing, and needs to be corrected.. But i would recommend making sure clients gateway is pfsense. So it should look like this 192.168.0.0/24---->pfsense(192.168.0.100)----Router(172.32.45.1)---<internet>---Router--Pfsense--192.168.10.0/24 Yea...</internet>

Under diagnostics, and PFinfo  I noticed some packets are getting blocked, not sure what to do with that info, or if it is relevant. gre0 Cleared:    Mon Nov 12 16:28:37 2012 References:  [ States:  0                  Rules: 10                ] In4/Pass:    [ Packets: 0                  Bytes: 0                  ] In4/Block:  [ Packets: 0                  Bytes: 0                  ] Out4/Pass:  [ Packets: 43039508          Bytes: 34927813259        ] Out4/Block:  [ Packets: 5993              Bytes: 5565603            ] In6/Pass:    [ Packets: 0                  Bytes: 0                  ] In6/Block:  [ Packets: 0                  Bytes: 0                  ] Out6/Pass:  [ Packets: 22                Bytes: 1692              ] Out6/Block:  [ Packets: 0                  Bytes: 0                  ] gre1 Cleared:    Mon Nov 12 16:28:37 2012 References:  [ States:  0                  Rules: 8                  ] In4/Pass:    [ Packets: 0                  Bytes: 0                  ] In4/Block:  [ Packets: 0                  Bytes: 0                  ] Out4/Pass:  [ Packets: 10901950          Bytes: 1862315434        ] Out4/Block:  [ Packets: 8                  Bytes: 320                ] In6/Pass:    [ Packets: 0                  Bytes: 0                  ] In6/Block:  [ Packets: 0                  Bytes: 0                  ] Out6/Pass:  [ Packets: 56                Bytes: 4292              ] Out6/Block:  [ Packets: 0                  Bytes: 0                  ]

@Stevej: Yes it definitely has a static IP which doesnt change. The Draytek to Draytek IPSEC is fine. It seems that the security associations arent being cleared out and therefore although the tunnel will establish it wont pass data, but only seems to be for tunnels behind NAT. Any more thoughts anyone? yes - BUT is it PUBLIC IP? It works even with dynamic ip if you use DDNS service also.

i have the same problem :( :( Do you have any solutions because one phase 2 is up and another phase 2 is down ?? tunnel 192.168.126.0/24 192.168.5.0/24 ESP 3DES SHA1, MD5 (UP) tunnel 192.168.100.0/24 192.168.5.0/24 ESP 3DES SHA1, MD5 (DOWN)

So, it is ok for local network to be duplicated in rules? I did try this, but saw that one of the errors at one point was "duplicate rule" or similar in the logs, so I figured it was not meant to be like that. … I will try again shortly. Thanks, Wil

Yeah you'll have to have 25 P2s. May want to consider consolidating that for the P2s and controlling more tightly via firewall rules, but it'll work fine with 25 P2s as well.

What does the bandwidth behaviour look like without the VPN? Without testing that you've no way of knowing if your problem is because of the VPN, or something else…

There isn't any documentation for it yet. You can get an idea of what it supports by perusing the code here: https://github.com/bsdperimeter/pfsense/blob/master/etc/inc/openvpn.auth-user.php#L127 https://github.com/bsdperimeter/pfsense/blob/master/etc/inc/openvpn.attributes.php

Thanks for the quick response. The networking guy's not playing nice. They screwed up and not fessing up.

Is there a way to change the default ports for IPSec (500 and 4500) in pfSense? Primarily only the ports that pfSense uses for sending requests, not for listining as I am not sure if I can change the ports in the Fritzbox. Can I route, for example, incoming port 4501 with the NAT rules to internal port 4500? Can I route outgoing port 4500 to e.g. 4501? EDIT Ohh, the installed version is 2.0.2-RELEASE (i386) BTW :D

I am using Pre-Shared Keys only, so this seems to be the problem. Thank you very much.

Ok, so I don't need to worry about them having group access to VPN stuff as long as Im on 2.1beta and the auth inside the IPSec config is set for the LDAP Server?

2.1 is stable now days. Just some snapshot might have issues due to how snapshot work and development going on. For the ipsec HA setup you would need different remote ip addresses since its still not possible to bind ipsec to a failover group or assign same remote peer to 2 different tunnels.