Take a look at this topic, it's used to enable IPSec when wan fails, but you can change it to work the way you need.
http://forum.pfsense.org/index.php/topic,42025.0.html

I think I found my problem, my switch sucks. It doesn't support it

@thesidetalker:

Got it working jimp, thanks!

My problem was on one end I was using a VLAN for the local subnet. The VLAN was configured wrong. This machine I'm using as a hub and will have multiple endpoints connected. I just want them on different subnets.

Okay now for another problem. I think I have the VLAN configured wrong.. maybe. Or more likely, my firewall rules are incorrect. I have a few machines on the network behind that pfSense box I'm using as the IPsec hub. It has two nics and I have that VLAN on the LAN port. These machines can use the LAN IP as a gateway no problem, but if I configure them to use the VLAN as a gateway, no workie. I can't ping the VLAN IP from a local machine or ping local computers from the pfSense box through the VLAN.

You have to have multiple phase 2s on both sides (doesn't quite look the same way on the ASA, it's just additional lines in the ACL for the p2 there, but it's the same). You can't route over IPsec tunnel mode, on either the ASA or pfsense, or anything.

Not sure … I tested my Shew in Linux and it worked. Though mine it not using a tunnel interface. I have use existing adapter and I have a policy of the remote network.

Aaahhhhh…..now it makes sense :)

I will try in about 8 hrs and see what happens :)

Thank you very much.

The guide you mentioned was really excellent, but I wasn't able to get BGP to connect.

In the ipsec phase 2 settings, the Local Network and Remote network are specified like this:

169.254.255.2/30
169.254.255.1/30

I tried specifying these to be individual IPs instead.

The other thing was that I don't understand why you specify a static route for 169.254.255.2 to go out of the WAN interface. Surely this traffic (for BGP) needs to go out of the ipsec interface? So I deleted the static route that was described in phase 2. I'm really not sure that route is needed. I deleted it, and then BGP seemed to connect…

After all this, the AWS control panel still shows the connection as in state DOWN, but pfsense shows things are connected - so I feel like I've made progress!

Has anybody else got experience of making this all work?

Tom

Thanks for the reply :)

I think I will add an additional interface, and then use another public IP to route traffic to a dedicated VPN device in that case, I prefer to keep things modular anyway.

@cmb:

Sure, that's not uncommon.

Cool, Thanks.
I will give it a try.

thanks!  was able to get 1.2.3 <-> 2.0 talking with this

-Rich

Indeed. That's what I did and it works. Just wondering why the ping works only in one-way. From the pfsense side I can ping the internal remote IPs but they cannot do the same.
Specific IPSEC rule has been set on my pfsense firewall in order to allow traffic….
thanks
Max
italy

I think it's regards to  remoteid that it's the same.

Thank u all.

@Rural:

I'm not sure that I understand what a remote access VPN would require of the laptop that travels between the work-place and an employee's home. These machines operate under a domain controller at work. It would be nice if that still applied at home.

They would have to connect their VPN client when outside the office. That's the typical means of remote access, then it can work anywhere not just in employees' homes, and you're not allowing whatever devices people plug into their home networks to get to your network.

Once I created an ipsec configuration entry I was able to get the service to start, I thought I needed the service started before I would be able to configure and entry but that wasn't the case. Now I just to need to figure out how to get a remote cisco device, to talk to nice with pfsence. Hopefully its not to frustrating.

Just to update, after leaving this alone all night I do see SAD and SPD entries for the dynamic IP sites, but no data sent/received and I am unable to ping any of them.

I've been searching and reading as much as possible but seem to have come up empty. Is there a way to push the local DNS entries to VPN clients over Shrew or am I spinning my wheels?

I can ping the hosts via IP but not via hostname.

Thanks,
Technyne

i didn't resolve the other problem too. cheers  :(

wrong GW settings on that linux or you have some rules, which overrules vpn gateway usage