Hi,

this is by design^^ u cant route IPSEC.

What u have to do is to create multiple phase 2 entrys on Pfsense and sarians.

Have a look at this example:

Each Sarian has a IPSEC Tunnel to ur central pfsense. Sarian A cant reach Sarian B network because there is no route.

pfsense
              192.168.5.0
                |           |
                |           |
                |           |
         Sarian A      Sarian B
     192.168.6.0     192.168.7.0

Solution:
IPSEC Tunnel Pfsense <-> sarian A

Pfsense:
add phase 2 like this:

localnet: 192.168.7.0/24
remotenet: 192.168.6.0/24
use same encryption as ur first phase 2 entry.

Sarian A:

i dont know if sarian can have a second phase 2…but u can try to add a second tunnel with the same shared key...this should work.

localnet: 192.168.6.0/24
remotenet: 192.168.7.0/24

IPSEC Tunnel Pfsense <-> sarian B

Pfsense:
add phase 2 like this:

localnet: 192.168.6.0/24
remotenet: 192.168.7.0/24
use same encryption as ur first phase 2 entry.

Sarian B:

i dont know if sarian can have a second phase 2…but u can try to add a second tunnel with the same shared key...this should work.

localnet: 192.168.7.0/24
remotenet: 192.168.6.0/24

At the end create fireweallrules on pfsense to allow traffic between sarian A und B and vice versa...thats it.

If u have many sarians to connect each other u need to combine networks to minimize phase 2 entries otherwise there is much to configure.

good luck

cya

tks jimp,

well…after some troubles, i decide to tryng setup a no-ip service in my cisco router, that's was the only way how i connect with sucess my between cisco router with dynamic ip and my pfsense RC2 box.

So, i stop use Mobile Client feature, and create a solid site to site configuration, setting up the Remote Gateway option as domain.no-ip.org

best regards!

If I were you, I would try ver 2.0 RC3.

part 2:

umts pfsense:

create phase 1
my identifier: keyID tag = <user>preshared key = <userkey>create phase 2

create ipsec  firewallrule:

eg: allow any traffic from central subnet 192.168.1.0/24 to eg. 10.0.1.0/24

ping ur central pfsense lan ip, check ur ipsec logs

If ur umts routers are not pfsense u need to translate these settings. Umts routers need to support nat-t.

cya

</userkey></user>

Got it!
;D
Thanks!

I know you said there's nothing in the firewall logs, but you have explicitly allow the ping packets through on the wan interface with a firewall rule.

I found out that windows firewall restricts windows file sharing ports to the local subnet only by default (in my case anyway).  Just have to change the scope to allow the other subnet accross the vpn to have access and away you go.

Is there a way to test ipsec connectivity without using shrew? I mean, does a telnet on the 500 port suffice to say that the tunnel could be available?
I'm still having this issue and what is strange is that if I configure shrew from a pc behind the firewall, the tunnel is activated. So this means there could be some kind of connectivity problem from the outside world, but as I said, I can ping/ssh/web the firewall from the remote side (the one the tunnel must start from).
Any suggestion?

Thanks

It works fine, you just need a small routing trick.

http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F

We change the bintec on the remote site to pfsense 2.0-RC1 (i386) built on Fri Apr 8 19:08:10 EDT 2011.

I still have issue, not the same but… It seems that when the internet access going down for few second, the IpSEC tunnel going down as weel and cannot go up again.

Here some logs

Jun 23 13:38:19 racoon: ERROR: phase1 negotiation failed due to time up. 053074ceaa752ba7:0000000000000000 Jun 23 13:38:17 racoon: [Portugal]: [Y.Y.Y.Y] INFO: request for establishing IPsec-SA was queued due to no phase1 found. Jun 23 13:38:01 racoon: INFO: delete phase 2 handler. Jun 23 13:38:01 racoon: [Portugal]: [Y.Y.Y.Y] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP Y.Y.Y.Y[0]->X.X.X.X[0] Jun 23 13:37:29 racoon: INFO: begin Aggressive mode. Jun 23 13:37:29 racoon: [Portugal]: INFO: initiate new phase 1 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500] Jun 23 13:37:29 racoon: [Portugal]: INFO: IPsec-SA request for Y.Y.Y.Y queued due to no phase1 found. Jun 23 13:37:19 racoon: ERROR: phase1 negotiation failed due to time up. 65f6398b3e16ea16:0000000000000000 Jun 23 13:37:01 racoon: INFO: delete phase 2 handler. Jun 23 13:37:01 racoon: [Portugal]: [Y.Y.Y.Y] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP Y.Y.Y.Y[0]->X.X.X.X[0] Jun 23 13:36:29 racoon: INFO: begin Aggressive mode. Jun 23 13:36:29 racoon: [Portugal]: INFO: initiate new phase 1 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500] Jun 23 13:36:29 racoon: [Portugal]: INFO: IPsec-SA request for Y.Y.Y.Y queued due to no phase1 found. Jun 23 12:00:21 racoon: [Portugal]: INFO: IPsec-SA expired: ESP/Tunnel Y.Y.Y.Y[500]->X.X.X.X[500] spi=83767616(0x4fe3140) Jun 23 12:00:21 racoon: [Portugal]: INFO: IPsec-SA expired: ESP/Tunnel Y.Y.Y.Y[500]->X.X.X.X[500] spi=183173812(0xaeb02b4) Jun 23 12:00:21 racoon: [Portugal]: INFO: IPsec-SA expired: ESP X.X.X.X[500]->Y.Y.Y.Y[500] spi=167828318(0xa00db5e) Jun 23 12:00:21 racoon: [Portugal]: INFO: IPsec-SA expired: ESP X.X.X.X[500]->Y.Y.Y.Y[500] spi=178809086(0xaa868fe) Jun 23 10:24:15 racoon: [Portugal]: INFO: ISAKMP-SA deleted X.X.X.X[4500]-Y.Y.Y.Y[4500] spi:7411c5a7fa3b7592:fef87f9150e917c6 Jun 23 10:24:15 racoon: [Portugal]: INFO: ISAKMP-SA expired X.X.X.X[4500]-Y.Y.Y.Y[4500] spi:7411c5a7fa3b7592:fef87f9150e917c6

@CMB  Ok.  I have created a new pfsense device strictly for vpn.  I recreated the ipsec config and pointed the local subnet to my external ip address.  I have created only one rule in the Rules\IPSEC (see below).  Is this what you were thinking?

Proto      Source      Port    Destination    Port    Gateway
TCP          *            *      192.168.1.11    *        *

That's not actually an error, it's informational (HEAD of ipsec-tools has finally changed that to show as INFO in the future). You don't have any indication of any real errors there. It's perfectly fine to restart racoon under Status>Services.

Your remote and local networks are overlapping (the /16 includes the /24, the /16 side should really be /24), you can't route between those two subnets as the /16 end sees the remote end as being local, hence will never touch the firewall to route over the VPN.

Yes that is what I meant.
Great to hear it can, I'll configure it!
Thanks

I have dropped trying to connect the USG-100 and Pfsense firewall. The Pfense handles PPTP vpn's and i am not villing to give this feature up.

I was advised not to try v2.0 from the provider of the pfsense appliance due to reported stabitlity issues.

I tried various setteings as per your suggestions, before my initial post.

I ended up buying 2 smb cisco routers for the vpn tunnel instead.

Will look in to posts covering 1 GB WAN IPSEC where i will implement pfsense to pfsense vpn to keep it simpel and cost effective.

That is not NAT-T. That is just plain NAT, which doesn't work with IPsec on pfSense.

NAT-T just lets clients work from behind NAT, it doesn't actually translate addresses.

Hi,

l guess it stop working after expired SA.

-> goto System -> Advanced -> Miscellaneous

Then uncheck "Prefer older IPsec SAs" Option.

What about Ipsec log on pfsense?

cya