It's covered in the book, on the wiki, and in posts here on the forum. Some simple searches would turn up lots of information. A lot depends on the type of Cisco router you have (Running IOS? PIX/ASA?).

For starters…
http://doc.pfsense.org/index.php/IPsec_between_pfSense_and_Cisco_IOS
http://doc.pfsense.org/index.php/IPsec_between_pfSense_and_a_Cisco_PIX

That is normal for any VPN type. The secondary will always believe it has a more direct route back to the client and eat the traffic since it has no connected tunnel.

You can work around it by adding an outbound NAT rule on the LAN that will NAT traffic leaving from the IPsec mobile subnet going to the secondary to the primary's LAN IP

You may also want to add a similar rule to the secondary (nat out from the IPsec mobile subnet going to the primary's LAN IP, translated to the secondary's lan IP), so you can get to the primary if it's not master.

@Navillus:

Interestingly I am also getting this error when attempted to setup tunnels and 2 new sites with 2 separate pfSense 2.0 boxes and Watchguard / Fortinet endpoints.

which? Start a new thread describing your issue please, it's not the same as this one. Locking it to prevent further hijacking since it's resolved.

Usually it also works on demand. If you have traffic to ipsec it will establish connection.

Ended up using 2 firewalls to router the traffic and it ended up working.

Thanks for the help!

what happens if you try to put 1500 in mtu field

Here is the only thread that seem related to my problem.

http://forum.pfsense.org/index.php/topic,23577.msg121576/topicseen.html#msg121576

On the site B:

I have creat the Aliases with IP of the server on site A (192.168.1.2) Enable the Advance Outbound NAT Created 2 Inbound NAT with following detail:
If Proto Ext. port range  NAT IP  Int. port range  Description
  WAN                80(HTTP)              192.168.1.2              80(HTTP)
If Proto Ext. port range  NAT IP  Int. port range  Description
  LAN                  80(HTTP)                192.168.1.2              80(HTTP) Allow all the traffic on LAN, WAN, IPSec VPN firewall rules

It still does not work!
Am I missing anything?

Take a look at this topic, it's used to enable IPSec when wan fails, but you can change it to work the way you need.
http://forum.pfsense.org/index.php/topic,42025.0.html

I think I found my problem, my switch sucks. It doesn't support it

@thesidetalker:

Got it working jimp, thanks!

My problem was on one end I was using a VLAN for the local subnet. The VLAN was configured wrong. This machine I'm using as a hub and will have multiple endpoints connected. I just want them on different subnets.

Okay now for another problem. I think I have the VLAN configured wrong.. maybe. Or more likely, my firewall rules are incorrect. I have a few machines on the network behind that pfSense box I'm using as the IPsec hub. It has two nics and I have that VLAN on the LAN port. These machines can use the LAN IP as a gateway no problem, but if I configure them to use the VLAN as a gateway, no workie. I can't ping the VLAN IP from a local machine or ping local computers from the pfSense box through the VLAN.

You have to have multiple phase 2s on both sides (doesn't quite look the same way on the ASA, it's just additional lines in the ACL for the p2 there, but it's the same). You can't route over IPsec tunnel mode, on either the ASA or pfsense, or anything.

Not sure … I tested my Shew in Linux and it worked. Though mine it not using a tunnel interface. I have use existing adapter and I have a policy of the remote network.

Aaahhhhh…..now it makes sense :)

I will try in about 8 hrs and see what happens :)

Thank you very much.

The guide you mentioned was really excellent, but I wasn't able to get BGP to connect.

In the ipsec phase 2 settings, the Local Network and Remote network are specified like this:

169.254.255.2/30
169.254.255.1/30

I tried specifying these to be individual IPs instead.

The other thing was that I don't understand why you specify a static route for 169.254.255.2 to go out of the WAN interface. Surely this traffic (for BGP) needs to go out of the ipsec interface? So I deleted the static route that was described in phase 2. I'm really not sure that route is needed. I deleted it, and then BGP seemed to connect…

After all this, the AWS control panel still shows the connection as in state DOWN, but pfsense shows things are connected - so I feel like I've made progress!

Has anybody else got experience of making this all work?

Tom

Thanks for the reply :)

I think I will add an additional interface, and then use another public IP to route traffic to a dedicated VPN device in that case, I prefer to keep things modular anyway.

@cmb:

Sure, that's not uncommon.

Cool, Thanks.
I will give it a try.

thanks!  was able to get 1.2.3 <-> 2.0 talking with this

-Rich

Indeed. That's what I did and it works. Just wondering why the ping works only in one-way. From the pfsense side I can ping the internal remote IPs but they cannot do the same.
Specific IPSEC rule has been set on my pfsense firewall in order to allow traffic….
thanks
Max
italy