ok, I committed a fix to skip that part of the code if there are no p2's.

ok cool, Thanks.

Strangely enough, it was only a lifetime mismatch for phase 1.
So finally we're connected, all is fine!

Now this is interesting!
I'm starting a new thread about this character problem, it might be useful.

@gordslater:

If this happens from only one machine, I've had a faulty NICs (both onboard and PCI/PCI-X) give me SSH broken pipes and strange problems when I ran  ncurses commands,  top  or a command like  ls -al  with significant return data, yet simple on-liners with no output worked just fine. Drove me crazy each time.

My SSH sessions stay up indefinitely over the VPN otherwise, no problems

Yeah stuff like that can drive any one crazy.

Regarding my problem got solve a couple of days ago. It was the problem from the third party
they had some bad hardware installed that messed things up.
Now I have everything working perfectly :)
thanks PFSENSE :D

@cmb:

The IPsec rules control what traffic is permitted inbound from the VPN, it's always required if you want to permit any traffic in over the VPN.

Thank you.  That helped.  I was perplexed as my VPN pfSense <–-> IPCop* was working from the pfSense network to the IPCop network.  (And that is the direction of most traffic) But when I checked the network from IPcop to pfSense it was was not working.

I added some IPSec firewall rules in pfSense and things started working fine!

Thanks again.

I found out with the tipps on  http://doc.pfsense.org/index.php/IPsec_Troubleshooting

it worked as a charm!

if u need some help about that give me more details about your issues…

pufff as it's in front of me - thanks a lot!
can you remove this thread again as it was just my stupidity? :)

cheers
josh

Got it working now, seemed to be an AD DNS problem with Reverse lookup zones that weren't configured.
Somehow nothing worked untill that was configured.

Thanks anyway :)

Check with your provider if there is no Qos applied to IPSec or any other protocol.

Try disabling the firewall on the computers. Even though you cannot ping them, can yopu remote desktop to them? I found that windows 7 and XP can nativly block ping replies, especially from different subnets. Turn windows firewall of and then try to ping. You can create an exception in windows firewall to reply if you decide you want to leave it on.

Hi,
If you put a PFsense behind the modem in a DMZ then yes IPSEC VPN should work just fine. Even better would be to get a full bridge modem like a Draytek Vigor 120.

Maybe your 3G provider is blocking Ipsec traffic? Most 3g providers use some kind of proxy for web traffic and ports for VPN are most of the time blocked. You can also try to connect with your wifi connection (if you have one) to see if your config is ok.

http://forum.pfsense.org/index.php?topic=41617.0

Yea totally agree. I remember when i thought that when i first intalled Pfsense.

So how can we help to nail down the source of this problem?  I've gotten a little more knowledgeable since my last post, but I'm still not completely there.  If my understanding is correct a packet entering the LAN interface would be sent to racoon at some point to see if it matches any of the SPDs.  If it does, racoon sends the packet into the appropriate tunnel.  If not, it should pass the traffic on through the normal process.

If this is a correct understanding then the packets in question are disappearing inside pfSense because racoon is for some reason silently dropping the packets rather than doing what it is supposed to do.

It seems that there would be two possible causes of this problem:

1.  These packets are being translated by NAT before they are sent to racoon, which would cause them not to match any SPDs.

2.  There is some subtle error in racoon that causes it to not see the match - perhaps because of a logic error regarding the 0.0.0.0/0 specifier in the SPD.

If someone will point me in the right direction, I will read and/or instrument the code and see if I can find the problem.

One other question:  Does anybody know if there is any way to turn on logging for NAT rules.  This would be helpful also in understanding packet flow inside pf.

Thanks.

-Dave

The second post of this thread shows the link to script thread.

@marcelloc:

You can use the script on this topic with few modifications.

http://forum.pfsense.org/index.php/topic,42025.0.html

action: deny
proto any
source any
destination network 10.0.0.0/8
description: retrict access to 10.x network