Yes, the necessary firewall rules are added automatically.

No I gave up and setup an openvpn box in my VPC on the same box running the NAT

I have a PPPOe WAN, so that may very well be the problem. Will try the 2.0.3 sometime.

Thanks.

Lex

Hi I am back again. I've been using IPSEC in tunnel mode for a while but I am giving transport another go.
I have tried again and I cannot get IPSEC transport mode to come up.
I have disabled IPSEC ESP and am just using AH for the time being.
I have allowed both protocols on the WAN interface (ESP & HA) from the public IP address of each side to "any" (as well as ICMP from either sides)
Prefer old IPSEC SAs is OFF

I have:
IP: IPv4
INTERFACE: WAN
REMOTE GATEWAY: PUBLIC IP OF OTHER SIDE
AUTHENTICATION PROTOCOL: Mutual PSK
NEGOTIATION: Agressive
MY IDENTIFIER: My IP Address
PEER IDENTIFIER: Peer IP Address
PRESHARED KEY: <psk>(COPY & PASTED, THEY ARE THE SAME)
POLICY GENERATION: Default
PROPOSAL CHECKING: Default
ENCRYPTION ALGORITHM: 3DES
HASH ALGORITHM: SHA384
DH KEY GROUP: 2(1024 bit)
LIFETIME: 28800
NAT TRAVERSAL: DISABLE
DEAD PEER: UNCHECKED

And for Phase 2:

MODE: TRANSPORT
PROTOCOL: AH
HASH ALGORITHMS: MD5
PFS KEY GROUP: OFF
LIFETIME: 86400
AUTOMATICALLY PING HOST: BLANK

I know in IPSEC it is CRITICAL to make sure sides match, so I have ensured. I've deleted the SPD on both sides and restart racoon and still comes up with "error" under Status > IPSEC. No obvious errors in the logs (Ive googled just about everything in there)
GRE is up and running, with OSPF over it. I can ping/access my remote subnets, but it breaks when I turn on IPSEC. I'd be really grateful for any ideas!</psk>

If you are in the same subnet, the WAN rules have reply-to on them which sends the data back via the gateway. That breaks what you're trying to do.

You can disable reply-to in the advanced options on the firewall/NAT tab.

Thanks for the explanation.
For those who have the same problem, I've solved it with a workaround, for now.
I've:

assigned a virtual IP (192.168.2.1) on LAN interface

set up apposite rules on firewall/NAT section (included Manual Outbound NAT)

added a new address (for eg. 192.168.2.5) on the network card of internal Windows machine and a new gateway 192.168.2.1 (with a higher metric than default to not interfere with the previous state)

in the Windows machine set up a new permanent route to 10.1.0.0/16 net via 192.168.2.1 gateway

It works!

That's not the same problem. Something there is attempting to negotiate with mismatched settings.

Using 2.1-Beta1 (i386) built on Sun Dec 30 22:21:30 EST 2012

The following settings worked for me to allow access to my internal networks
by name or ip and still be able to browse the web or other networks.

Mobile clients tab:

I made sure I had "Provide a list of accessible networks to clients" is checked.

Tunnels tab:

I had to create three phase 2 and then add the following in each Local Network.
Network Type: 10.0.0.0/8
Network Type: 172.16.0.0/12
Network Type: 192.168.0.0/16

Pitty. At least now I know I can stop looking for a solution for it :) Thanks!

Thx…

Completely different animal.

I had thought it would be simpler but it requires a bit of heavy lifting to make that work. That's why we chose to do the gateway group method instead of that sort of failover.

Would still be nice to figure out eventually, but a bit beyond my understanding of racoon's config and how we'd have to set it all up. (Plus the other end would have to support it, too)

It works, thank you  ;)
It looks like Mikrotik supports that pretty well :)

Michael

Is this a TYPO or do the Windows 7 versions not support this ??

You need Windows Vista or Windows 2008 or later.

TIA –

Thanks Jimp,

Unfortunately I don't have a crypto / accelerator card in the PFSense machine. It's a Dual Core HP XW4600 workstation with a DLINK DFE570TX card for the WAN / LAN.

I have tried just about every configuration I can think of, have remotely controlled the Watchguard and checked, the settings are identical in every way. I can never get passed that last message.

I have successfully set up an IPSEC VPN tunnel between this box and a couple of Draytek Vigor boxes, just can't get the Watchguard Firebox to talk.

If there is someone out there in the UK that has done this I would be more than happy to pay them to sort this out. I just need to get it up and running else face having to split my network out with a router in front of PFSense and have the client drop their own Watchguard box into the mix.

Thanks

Graham

Yesterday I setup my iPad to our 2.01 and I can login to our office. But I can't exchange a single package with the LAN…

This is what I see in the IPsec log:

Dec 19 09:50:35 racoon: ERROR: pfkey ADD failed: Invalid argument Dec 19 09:50:35 racoon: ERROR: pfkey UPDATE failed: Invalid argument Dec 19 09:50:35 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1) Dec 19 09:50:35 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel Dec 19 09:50:35 racoon: [Unknown Gateway/Dynamic]: INFO: Update the generated policy : 10.10.115.1/32[0] 0.0.0.0/0[0] proto=any dir=in Dec 19 09:50:35 racoon: [Self]: INFO: respond new phase 2 negotiation: XXX.91.YY.41[4500]<=>80.187.106.225[26197] Dec 19 09:50:34 racoon: WARNING: Ignored attribute 28683 Dec 19 09:50:34 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY Dec 19 09:50:32 racoon: INFO: login succeeded for user "mirco" Dec 19 09:50:32 racoon: INFO: Using port 0 Dec 19 09:50:20 racoon: [Self]: INFO: ISAKMP-SA established XXX.91.YY.41[4500]-80.187.106.225[26197] spi:82161d7a2a95cc61:cf66e0881b9324d2 Dec 19 09:50:20 racoon: INFO: Sending Xauth request Dec 19 09:50:20 racoon: INFO: NAT detected: ME PEER Dec 19 09:50:20 racoon: [80.187.106.225] ERROR: notification INITIAL-CONTACT received in aggressive exchange. Dec 19 09:50:20 racoon: INFO: NAT-D payload #1 doesn't match Dec 19 09:50:20 racoon: INFO: NAT-D payload #0 doesn't match Dec 19 09:50:20 racoon: [Self]: INFO: NAT-T: ports changed to: 80.187.106.225[26197]<->XXX.91.YY.41[4500] Dec 19 09:50:19 racoon: INFO: Adding xauth VID payload. Dec 19 09:50:19 racoon: [Self]: [XXX.91.YY.41] INFO: Hashing XXX.91.YY.41[500] with algo #2 (NAT-T forced) Dec 19 09:50:19 racoon: [80.187.106.225] INFO: Hashing 80.187.106.225[500] with algo #2 (NAT-T forced) Dec 19 09:50:19 racoon: INFO: Adding remote and local NAT-D payloads. Dec 19 09:50:19 racoon: [80.187.106.225] INFO: Selected NAT-T version: RFC 3947 Dec 19 09:50:19 racoon: INFO: received Vendor ID: DPD Dec 19 09:50:19 racoon: INFO: received Vendor ID: CISCO-UNITY Dec 19 09:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Dec 19 09:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Dec 19 09:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Dec 19 09:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 Dec 19 09:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04 Dec 19 09:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05 Dec 19 09:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06 Dec 19 09:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 Dec 19 09:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08 Dec 19 09:50:19 racoon: INFO: received Vendor ID: RFC 3947 Dec 19 09:50:19 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Dec 19 09:50:19 racoon: INFO: begin Aggressive mode. Dec 19 09:50:19 racoon: [Self]: INFO: respond new phase 1 negotiation: XXX.91.YY.41[500]<=>80.187.106.225[500] Dec 19 09:49:58 racoon: INFO: Released port 0 Dec 19 09:49:58 racoon: [Self]: INFO: ISAKMP-SA deleted XXX.91.YY.41[4500]-192.168.115.253[4500] spi:4eeff2d9004bf1d5:d1a4149da651122f Dec 19 09:49:58 racoon: INFO: deleting a generated policy. Dec 19 09:49:58 racoon: INFO: purged ISAKMP-SA spi=4eeff2d9004bf1d5:d1a4149da651122f:000034a2. Dec 19 09:49:58 racoon: INFO: purging ISAKMP-SA spi=4eeff2d9004bf1d5:d1a4149da651122f:000034a2.

And the filter log does only recognise my iPad because our Zarafa Server is trying to access it on the old extern 3G-IP

When trying to test the connection by accessing an internal Webserver by IP all I get is a timeout… And yes I've setup an any<>any rule for the IPsec interface!

Greetz
Mircsicz

Edit: I followed this Doc: http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 and as I'm on an ALIX I suffer from the glxsb driver prob from this thread: http://forum.pfsense.org/index.php/topic,56289.0.html so after disabling glxsb it work's as expected...

I did an packet analysis using the Pfs captured packets on the IPsec tunnel interface and Wireshark and came to the conclusion packets were lost due to different MSS settings at the Pfs and the remote location. The mss settings on the remote location appeared to be 1400 and my mss is 1460. Changed the mss settings on the pfs Lan interface also to 1400 and now I'm able to browse the remote htpp page.
So problem solved!