That's generally up to the server itself, your firewall rules on the IPsec tab, and how your client access the server.

If the server allows the connection from the VPN subnet, it should work, provided the traffic passes in your IPsec firewall rules, and the clients are accessing it by \x.x.x.x where x.x.x.x is the IP of the server.

Browsing/accessing by name probably isn't going to work in most cases. If it works by IP and not by name, check the client's DNS settings and such in Shrew.

OpenVPN works much better, especially for road warrior/mobile clients.

No. There is no such thing as a clientless VPN. The browser-based VPNs do nasty things, I wouldn't want to use one along the lines of what some commercial vendors offer. Better off with a real VPN client that's not some ugly browser hack.

400 KB/sec is rough 3 Mbps. i.e. you're hitting the max of the upload. Or you mean 400 Kb?

I have exact the same problem.
I've tried almost any setting… it connects, I get an IP from pfsense, but no traffic.

Also the errors in pfsense are sometimes different (without any change in settings on both sites)

Most of the times I get this error: racoon: ERROR: failed to begin ipsec sa negotication
also this one: racoon: ERROR: no configuration found for x.x.x.x
But sometimes a phase 2 error (but I allready got the IP from the pfsense box) this doesn't happen often.

I got this error aswell: racoon: ERROR: libipsec failed pfkey check (Invalid address family)

I have NAT-T enabled and opened port 4500 (UDP) in my firewall.

What could be wrong?

Is there a bug in IPSEC?

BtwI have also some site-2-site tunnels running on the same box, those work fine.

Only the mobile client is not working.

That should work. Verify you are providing the correct dns domain name and try to ping the full dns name- e.g. server.company.local.

I got it working.

Not sure what was wrong. Went through everything in the guide again and all seems good :)

Great work, thank you 100x…

After enabling DPD it appears system is stable.

Lex

I have fixed the problem, but still I think it's strange why it didn't work.
What I did is I changed te subnets on pf2, I changed 192.168.41.0/24 to 192.168.140.0/24
and 192.168.71.0/24 to 192.168.170.0/24.
After that I did setup 2 tunnels on pf1 192.168.0.0/17 -> 192.168.128.0/17 and on pf2 192.168.128.0/17 -> 192.168.0.0/17
This works perfect, no outbound nat adjustment needed, every subnet is reachable without changing any thing else on the ipsec settings and firewall rules.(they were allready setup right)
In the old situation I had high pings and package loss (both pf's where connected with a cable of about 300meter) after the change ping was <1ms and no package loss anymore.

What could this be? Some bad routing?

No, I'm not confused. When the scheme DLink-ISP-pfSense ping time and on pfSense to DLink was 3-5ms, After replacing the DLink to ping pfSense vrmya risen. If you run the command ping 192.168.0.1-t (remote pfSense) then begins to 90ms, and then gradually (after 30 packets) is reduced to 3-5ms then abruptly jumps up to ~ 100ms. And so it is cyclic.

@root2020:

Do I need to setup an IPsec VPN for each iPad. What is the best way to set these up?

I don't think so. The tunnel should work with all your devices, Did you create a user for each of your devices? Maybe that's the problem since you have concurrent connections from the same user at the same time.

Hope it helps

Cheers!

hi, the tunnel is down few days ago. now i am back at our main site. no matter what i do, i could not bring the tunnel up. the error message is
racoon: [Abdn-Leeds]: INFO: IPsec-SA request for xx.xx.xx.xx queued due to no phase1 found.
Mar 26 14:49:53 racoon: ERROR: phase1 negotiation failed due to time up. 88b57bff254ae040:0000000000000000
Mar 26 14:49:36 racoon: INFO: delete phase 2 handler.
Mar 26 14:49:36 racoon: [Abdn-Leeds]: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP xx.xx.xx.xx[0]->yy.yy.yy.yy[0]
Mar 26 14:49:02 racoon: INFO: begin Aggressive mode.
Mar 26 14:49:02 racoon: [Abdn-Leeds]: INFO: initiate new phase 1 negotiation: yy.yy.yy.yy[500]<=>xx.xx.xx.xx[500]
where xx is branch IP and yy is main site IP. any help would be appreciated. thanks

did you sort this?
I was having the same issue as well.  I changed from sha-1 to MD5 and then everything worked.

Was just wondering whether you guys had it working with sha-1.

What is your tunnel config settings?

I did wonder whether it's to do with the crypto card in the pfsense(watchguard) not working as expected…  ???

Thank you for your reply!

So is there a possibility at all to have an IPSec Tunnel handle a failover from DSL to UMTS in pfSense?
At the moment it seems to me that you need two tunnels anyways, one for the DSL connection and one for the UMTS connection, but they would both need to terminate on the datacenter pfSense.
But then, as soon as two tunnels are supposed to terminate on the same remote wan IP, it won't work, no?
So it would be necessary to have at least two WAN ips on the datacenter pfSense?  ???

Isn't there a more elegant solution to handle a WAN failover in the office site - including the IPSec VPN that also can follow the failover?

Thanks!