Sorry for the delayed answer, need to remember to enable notify on threds I participate in…

But no, unfortunately I didn't get this to work but haven't spend much time on it either...

@jimp:

You can do that sort of NAT with OpenVPN, but not IPsec. You'd have to address the remote side IPs as though they were in a different subnet, so it doesn't really save you any convenience.

If you have no conflicting IPs at all, just the same subnet, a bridge may be possible, but never recommended.

You could save yourself a lot of headaches by just renumbering one side though.

Hi jimp,
i can confirm that with OpenVPN, nat (snat) before ovpn tunnel works perfectly.
As reported in pfSense 2.0 features and in a lot of forum's threads, NAT before IPSEC is not supported yet (maybe in 2.1 version).

Looking for a solutions for my issue, I've read your post ( http://forum.pfsense.org/index.php/topic,36119.msg186468.html#msg186468 ) and some tips speaking about multiple pfs box (one for NAT, one for IPSEC), to workaround NAT before IPSEC.

Im my scenario, I have multiple ipsec tunnel to remote sites with overlapping subnets ( i.e. 192.168.1.0/24).

MyIP: 1.1.1.1
MyLocalHost: 10.123.1.10
MyLocalSubnet: 10.123.1.0/24
        |
<<ipsec tunnel1="">>
        |
RemoteSite1: 2.2.2.2
RemoteSubnet1: 192.168.1.0/24
RemoteHostInSubnet: 192.168.1.10

MyIP: 1.1.1.1
MyLocalSubnet: 10.123.1.0/24
        |
<<ipsec tunnel2="">>
        |
RemoteSite2: 3.3.3.3
RemoteSubnet2: 192.168.1.0/24
RemoteHostInSubnet: 192.168.1.10

As you can see, subnet overlap is only in remote sites, not between local&remotesite. How to reach host in different remote sites but with the same ip&subnet from myLocalHost? Multiple pfs box can help me in this scenario?

Thank a lot
SierraBravo

</ipsec></ipsec>

It's already in snapshots - http://snapshots.pfsense.org

Related thread: http://forum.pfsense.org/index.php/topic,50353.0.html

If you read the notes on the ticket you'll see that the method used on that page isn't really viable the way we do things. But we're still searching for a good way to make that happen on to fail between two remote peers without involving DNS.

Hi,
Thanks for you reply. I have the same opinion. But I might have a workaround with openvpn.
using site-to-site openvpn connection but with different udp port numbers.
Because the topology above is just part of the network the real network looks like this:

|SiteB|   
              A  B     
              A  B     
              A  B     
              A  B     
|SiteA|–---|INTERNET|
              C  D     
              C  D     
              C  D     
              C  D     
            |SiteC|

(A,B,C,D,- are internet links)

SiteA has 1 internet link, SiteB,SiteC have 2 internet links. I want to use all the links to have redundancy between the two satellite sites (SiteA,SiteB)
and  the central site: SiteC. What I have done so far: I created site-to-site openvpn tunnel between SiteB using A link and SiteC C link and between SiteB A
link and SiteC D link. So far this works fine. SiteC is the openvpn server SiteB,SiteC will be the openvpn clients. For failover I am using quagga's ospf.
So do you think this could work?

Thanks,

klajosh

Ok, after a last test I have burried IPsec in my case. I have connected the Fritzbox to dsl and the tunnel was working fine and reliable. Then I have switched from dsl to 3G/UMTS using the german provider Fonic/o2.
The tunnel came up, but the packets sent from the pfSense box were definitly blocked by the provider.

So I followed you advice, cmb, and installed OpenVPN on the Fritzbox. And, what should I say, it is working perfect.

Thanks for you help  ;D

so if i'm reading you right, if you are on 102, trying to get to a non 140 address, it fails? I'm no expert on IPSec by any means, but perhaps it's going something like this. 120 crosses the tunnel to get to 140, that works properly, 102 tries to get to 120, it doesn't have a route, it doesn't know to cross the tunnel to get there, which makes sense, because the tunnel is serving 102 to 140. maybe set a route at the endpoints of the tunnel?
I'm picturing something like this:
102 tries to reach 120 –> route 102 to 140 -> ---tunnel--- 140 route to 120
120 talks back to 102 -->  route 120 to 140 -> ---tunnel--- 140 route to 102

Cheers for the reply.

Tried that, and I thought I had a MTU problem as could ping but could not connect on RDP - Turns out had a routing issue.

Simple resolution: Replace current gateway with pfsense.

Now I have an issue where I need to route some traffic via IPSEC, thats to a second LAN - When the endpoint is the first LAN.
I know that having another IPSEC should work, but these draytek 2600's keep locking up when two IPSEC connections are up to the same end.

Thanks cmb
I will try setting it as a mobile, and I agree it is not ideal. But in Mexico a static IP is spendy so the client said no to doing this properly

http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0

That exact config works for me with Android 2.x, 4.0, and iOS.

Note that you need IPsec+xauth on Android, not IPsec+L2TP.

Most IPsec clients/servers will expire the connection at about 2/3 or so of the limit to be sure it gets rekeyed before it would expire on the other side.

As far as I can see, racoon doesn't have a parameter to control whether or not xauth is re-forced when the Phase 1 expires.

What you set for your p1/p2 times may be getting overridden by what the client is requesting on connection (that's what setting 'obey' will do, generally)

Wow interesting. I WAS using Cisco VPN client. Since you posed the question, I had not thought it could be the client since I was able to connect okay. Anyway installed Shrew soft, imported the same profile and I seem to be able to RDP to an internal host…etc just fine now. :)

Thanks!!

Cheers.

@jedblack:

I think you may need to provide a Phase2 PFS group to the clients.

check the box "Provide the Phase2 PFS group to clients ( overrides all mobile phase2 settings )"

and select "Group 2" from the drop down menu

See if that works for you…

Thanks, I'll give that a try.

Hi, didn't read all the story, but can you then connect to printers if you VNC to the host in that another subnet and try to access with browser?
If you can ssh to the other ends firewall can you then use proxy to connect printers?

Yes it seems to be hard to get an answer out of anyone on this forum. Not sure why, but whatever  Anyway that you can reconfigure devices and send them out for a coordinated change over? check these out http://store.netgate.com/ALIX2D2-Kit-Red-Unassembled-P1028C86.aspx very easy to install and configure

That means one of your packages broke its dependencies somehow. Just installing the 2.0.1 update file via System>Firmware, manual update, will fix.

Generally speaking, only two things would prevent traffic from moving.

1. The tunnel isn't actually up (check status > ipsec)
2. Firewall rules on the IPsec tab (Firewall > rules) are not allowing the traffic