Got it working now, seemed to be an AD DNS problem with Reverse lookup zones that weren't configured.
Somehow nothing worked untill that was configured.

Thanks anyway :)

Check with your provider if there is no Qos applied to IPSec or any other protocol.

Try disabling the firewall on the computers. Even though you cannot ping them, can yopu remote desktop to them? I found that windows 7 and XP can nativly block ping replies, especially from different subnets. Turn windows firewall of and then try to ping. You can create an exception in windows firewall to reply if you decide you want to leave it on.

Hi,
If you put a PFsense behind the modem in a DMZ then yes IPSEC VPN should work just fine. Even better would be to get a full bridge modem like a Draytek Vigor 120.

Maybe your 3G provider is blocking Ipsec traffic? Most 3g providers use some kind of proxy for web traffic and ports for VPN are most of the time blocked. You can also try to connect with your wifi connection (if you have one) to see if your config is ok.

http://forum.pfsense.org/index.php?topic=41617.0

Yea totally agree. I remember when i thought that when i first intalled Pfsense.

So how can we help to nail down the source of this problem?  I've gotten a little more knowledgeable since my last post, but I'm still not completely there.  If my understanding is correct a packet entering the LAN interface would be sent to racoon at some point to see if it matches any of the SPDs.  If it does, racoon sends the packet into the appropriate tunnel.  If not, it should pass the traffic on through the normal process.

If this is a correct understanding then the packets in question are disappearing inside pfSense because racoon is for some reason silently dropping the packets rather than doing what it is supposed to do.

It seems that there would be two possible causes of this problem:

1.  These packets are being translated by NAT before they are sent to racoon, which would cause them not to match any SPDs.

2.  There is some subtle error in racoon that causes it to not see the match - perhaps because of a logic error regarding the 0.0.0.0/0 specifier in the SPD.

If someone will point me in the right direction, I will read and/or instrument the code and see if I can find the problem.

One other question:  Does anybody know if there is any way to turn on logging for NAT rules.  This would be helpful also in understanding packet flow inside pf.

Thanks.

-Dave

The second post of this thread shows the link to script thread.

@marcelloc:

You can use the script on this topic with few modifications.

http://forum.pfsense.org/index.php/topic,42025.0.html

action: deny
proto any
source any
destination network 10.0.0.0/8
description: retrict access to 10.x network

It's covered in the book, on the wiki, and in posts here on the forum. Some simple searches would turn up lots of information. A lot depends on the type of Cisco router you have (Running IOS? PIX/ASA?).

For starters…
http://doc.pfsense.org/index.php/IPsec_between_pfSense_and_Cisco_IOS
http://doc.pfsense.org/index.php/IPsec_between_pfSense_and_a_Cisco_PIX

That is normal for any VPN type. The secondary will always believe it has a more direct route back to the client and eat the traffic since it has no connected tunnel.

You can work around it by adding an outbound NAT rule on the LAN that will NAT traffic leaving from the IPsec mobile subnet going to the secondary to the primary's LAN IP

You may also want to add a similar rule to the secondary (nat out from the IPsec mobile subnet going to the primary's LAN IP, translated to the secondary's lan IP), so you can get to the primary if it's not master.

@Navillus:

Interestingly I am also getting this error when attempted to setup tunnels and 2 new sites with 2 separate pfSense 2.0 boxes and Watchguard / Fortinet endpoints.

which? Start a new thread describing your issue please, it's not the same as this one. Locking it to prevent further hijacking since it's resolved.

Usually it also works on demand. If you have traffic to ipsec it will establish connection.

Ended up using 2 firewalls to router the traffic and it ended up working.

Thanks for the help!

what happens if you try to put 1500 in mtu field

Here is the only thread that seem related to my problem.

http://forum.pfsense.org/index.php/topic,23577.msg121576/topicseen.html#msg121576

On the site B:

I have creat the Aliases with IP of the server on site A (192.168.1.2) Enable the Advance Outbound NAT Created 2 Inbound NAT with following detail:
If Proto Ext. port range  NAT IP  Int. port range  Description
  WAN                80(HTTP)              192.168.1.2              80(HTTP)
If Proto Ext. port range  NAT IP  Int. port range  Description
  LAN                  80(HTTP)                192.168.1.2              80(HTTP) Allow all the traffic on LAN, WAN, IPSec VPN firewall rules

It still does not work!
Am I missing anything?