From which end are you having trouble? How is the firewall in your pfSense box configured for the IPsec and LAN interface? And which connections are you not getting through? Regards, Anders

pick your own: http://doc.pfsense.org/index.php/Category:IPsec

Mobile IPsec is really meant to be for remote devices, not local. You can't make more than one Phase 1. If it were OpenVPN you could just add a port forward to make it available on multiple interfaces, but IPsec is much less forgiving. Why do you need IPsec on top of your Wifi?

Never mind–I discovered that there was a SMB deny rule on the Watchguard site. It was created by my predecessor and I didn't realize it would override the tunnel allow any/any rule.

while I'm REALLY new to pfsense (like 4 days old haha), I had a problem similar over my ipsec vpn. I could ping from the remote office to the main office, but not the other way around. I ended up going to Firewall -> Rules -> IPsec @ the remote office, and made an "any" rule (any protocol, source, port, destination, gateway). Once I did that, I could ping and traceroute both ways across the link. Basically, you have to treat the IPsec tunnel as any other network adapter it seems. Hope this helps.

Hello, i thought, there is just 1 post, but http://forum.pfsense.org/index.php/topic,50914.0.html It's the same, just in the german support. We should close this one and keep going in the german one … My german is also better  ;D Greetings / Gruß Sanches

Apparently side "B" needs some rules to allow IPSEC from "A".  However "A" needed no such rules.(which is the part that confused me.)  Adding A->(any WAN) seems to have resolved the problem.

There is data on the SAD entries going from you to the remote site - there is no data on the return SAs. That implies that they are blocking the traffic or it's being ignored/misrouted on the return. You side may be setup right. I'd focus on the remote.

The packets being blocked are ACK packets, so as cmb said, asymmetric routing is the most likely explanation.

Thank you that did the trick.

That's for a different type of mobile IPsec. You're using xauth, which truly means the user's password, doesn't use user pre-shared keys.

cmb, Not really, TMG is configured only time-based. Also, it not only drops the connection after a certain amount of bytes, it could even finish copying the entire file, like I said one in 10 to 12 times. Thanks.

Sorry for the delayed answer, need to remember to enable notify on threds I participate in… But no, unfortunately I didn't get this to work but haven't spend much time on it either...

@jimp: You can do that sort of NAT with OpenVPN, but not IPsec. You'd have to address the remote side IPs as though they were in a different subnet, so it doesn't really save you any convenience. If you have no conflicting IPs at all, just the same subnet, a bridge may be possible, but never recommended. You could save yourself a lot of headaches by just renumbering one side though. Hi jimp, i can confirm that with OpenVPN, nat (snat) before ovpn tunnel works perfectly. As reported in pfSense 2.0 features and in a lot of forum's threads, NAT before IPSEC is not supported yet (maybe in 2.1 version). Looking for a solutions for my issue, I've read your post ( http://forum.pfsense.org/index.php/topic,36119.msg186468.html#msg186468 ) and some tips speaking about multiple pfs box (one for NAT, one for IPSEC), to workaround NAT before IPSEC. Im my scenario, I have multiple ipsec tunnel to remote sites with overlapping subnets ( i.e. 192.168.1.0/24). MyIP: 1.1.1.1 MyLocalHost: 10.123.1.10 MyLocalSubnet: 10.123.1.0/24         | <<ipsec tunnel1="">>         | RemoteSite1: 2.2.2.2 RemoteSubnet1: 192.168.1.0/24 RemoteHostInSubnet: 192.168.1.10 MyIP: 1.1.1.1 MyLocalSubnet: 10.123.1.0/24         | <<ipsec tunnel2="">>         | RemoteSite2: 3.3.3.3 RemoteSubnet2: 192.168.1.0/24 RemoteHostInSubnet: 192.168.1.10 As you can see, subnet overlap is only in remote sites, not between local&remotesite. How to reach host in different remote sites but with the same ip&subnet from myLocalHost? Multiple pfs box can help me in this scenario? Thank a lot SierraBravo </ipsec></ipsec>

It's already in snapshots - http://snapshots.pfsense.org Related thread: http://forum.pfsense.org/index.php/topic,50353.0.html

If you read the notes on the ticket you'll see that the method used on that page isn't really viable the way we do things. But we're still searching for a good way to make that happen on to fail between two remote peers without involving DNS.

Hi, Thanks for you reply. I have the same opinion. But I might have a workaround with openvpn. using site-to-site openvpn connection but with different udp port numbers. Because the topology above is just part of the network the real network looks like this: |SiteB|                  A  B                    A  B                    A  B                    A  B      |SiteA|–---|INTERNET|               C  D                    C  D                    C  D                    C  D                  |SiteC| (A,B,C,D,- are internet links) SiteA has 1 internet link, SiteB,SiteC have 2 internet links. I want to use all the links to have redundancy between the two satellite sites (SiteA,SiteB) and  the central site: SiteC. What I have done so far: I created site-to-site openvpn tunnel between SiteB using A link and SiteC C link and between SiteB A link and SiteC D link. So far this works fine. SiteC is the openvpn server SiteB,SiteC will be the openvpn clients. For failover I am using quagga's ospf. So do you think this could work? Thanks, klajosh

Ok, after a last test I have burried IPsec in my case. I have connected the Fritzbox to dsl and the tunnel was working fine and reliable. Then I have switched from dsl to 3G/UMTS using the german provider Fonic/o2. The tunnel came up, but the packets sent from the pfSense box were definitly blocked by the provider. So I followed you advice, cmb, and installed OpenVPN on the Fritzbox. And, what should I say, it is working perfect. Thanks for you help  ;D