Generally speaking, only two things would prevent traffic from moving.

1. The tunnel isn't actually up (check status > ipsec)
2. Firewall rules on the IPsec tab (Firewall > rules) are not allowing the traffic

Made a liar out of myself just now… Attempted an IPsec PSK+Xauth connection again and it worked.

Perhaps one of the several firmware updates since the last time I tried it made it work.

Try going to System > Advanced, on the Misc tab, and toggle the checkbox for "Prefer old IPsec SA"

It sounds like when one SA is expiring, it isn't getting fully dropped/rebuilt as expected by both sides.

Also, disable NAT-T.

Probably the CPU… Celeron's aren't exactly known for their high-speed cryptography performance... :-)

@cmb:

you have to have a phase 2 matching the OpenVPN tunnel IPs for it to go across the tunnel.

Tnx, now work :-)

Manuel

Reloading (updating its config, as must be done since IPs, etc. can change) is different from restarting (wiping out the SAD, SPD), so no.

yes it's only a ping. You just need to initiate any traffic that matches the second phase 2. Then if it doesn't come up, check the IPsec logs to see why.

Thanks CMB, that was what I was thinking I might have to do - works great, thanks :)

I can confirm that issue with SHA1 and our Watchguard XTM for a Site-to-Site VPN ???

Crazy to me is that another box running pfSense version 1.2.3 is working perfectly since a long time using SHA1 and same settings (except PSK and WAN stuff of course). It appears as the tunnel is up-n-running but in fact to traffic is going through.

My solution is so far changing to MD5 instead on both, Phase 1and 2. After that every thing is OK immediately. :o

Would like to see this can be fixed some how as I don't know if i'm missing a security option or anything alike.

it's works for me too but what is this floating rule ?

thanks

@pingulino:

@jimp:

As I said though, there are some bugs in the detection process for that button, it doesn't take IP aliases or subnets other than lan into account. So unless the local Phase 2 includes the LAN subnet, there is no connect button.

Does this mean I can not use IPSec for my OPT network?
That would be disastrous!

Infact I am not able to make opt1 working with ipsec. Have you made it working?

Its Work :)
I postet on a other Forum from Germany and its work like this:
http://www.administrator.de/Pfsense_L2TP_over_IPSec.html

Now i want a Certificate Methode(mutual rsa + xauth) with L2TP over IPSec. Anyone can help?

Call me silly but I do not understand could anyone be more precise

Hey
thanks for taking the time to reply.. I'll try that out and go from there.. thanks again…

Thanks for the reply.. You are correct.. it works 100%

thanks so much! :)

@jimp:

That should work fine, what that warning means is that you can't have IPsec and OpenVPN between the same two locations carrying the same two subnets.

So you can't have:

Site A:
x.x.1.0/24
Site B:
x.x.2.0/24

And have IPsec between x.x.1.0/24 <-> x.x.2.0/24 and OpenVPN between x.x.1.0/24 <-> x.x.2.0/24 - identical networks.

Without seeing your exact config it's hard to speculate. Generally speaking, that error means your Phase 2 definitions do not line up.

For that kind of setup, you end up with something like:
IPsec A<->B
192.168.200.0/24 <-> 10.10.0.0/24
192.168.200.0/24 <-> 10.20.0.0/24

IPsec B<->C
10.10.0.0/24 <-> 10.20.0.0/24
192.168.200.0/24 <-> 10.20.0.0/24

It is still not possible, and may have to be pushed back yet again for 2.2

I added a note to http://doc.pfsense.org/index.php/L2TP_VPN_Settings and included a link to the redmine ticket.

They should have been removed, yes, when that tunnel was deleted or disabled.

That commit (which should be in 2.0.1) should have ensured that they were cleaned out if all tunnels were removed, but I don't see how it would leave them in there if the tunnel were removed.