here are the rest of the settings

photo.PNG
photo.PNG_thumb

Try setting NAT-T to force on the server side. It may have better luck breaking out of their network.

You may want to submit a report to http://ipsec-tools.sourceforge.net/ (and secondary to http://redmine.pfsense.org/projects/pfsense )

…until someone steals your phone and then has unlimited access to your network...

The certificate auth, I believe, only replaces the pre-shared key part, not the username/password part.

Hi, i think i found my answer by playing around a bit.

My remote network is 10.1.105.0/24, i then added a route on 10.0.0.2 –> route add -net 10.1.105.0 10.0.0.1 255.255.255.0
then i could access the machines running through gateway 10.0.0.2

i hope this might help someone else.

Thanks,

If you use a dynamic DNS hostname it does work properly - I use this personally and I know people using it with dozens/hundreds of tunnels. It works great.

However the title of the thread said "without DNS" so that's how I replied.

You can't really tell that except from reading the full log.

If you look at the output of setkey -D you can see when the phase 1 entry was created, but if that was ever re-negotiated then you'd only see the latest entry there. (Or perhaps an occasional older one in some cases)

My bad. Thank you for answering.

Nobody has ever asked for esp-null to my knowledge, so it's probably lack of demand (and hence lack of funding or submitted code).

The use cases for it are pretty rare as well.

I'm going to go ahead and give this topic a little nudge in hopes that someone can shed some light. I've also found a couple of posts like this:

http://forum.pfsense.org/index.php/topic,29152.msg151679.html#msg151679

where someone was trying to use AH, and the workaround they came up with was to use ESP.

I'd really like to use AH, as in the eventual implementation one end of the tunnel will be a low powered device that I'd prefer to not saddle with a bunch of encryption, and in this application confidentiality is not as important as authentication and integrity.

Hi.

Thank you very much for your help.

I have created the tunnel and everything seems to be okay until it stops working with no reason.
Having a look at other threads of this forum, it seems to get back to work when the racoon service is restarted.

In other posts it is suggested to check the option "System -> Advanced -> Miscellaneous -> Prefer older IPsec SAs" but in the end I have to reboot racoon service.

Any help appreciated

Thank you very much.

This is very similar to my problem, our situation and logs look almost identical.

http://forum.pfsense.org/index.php/topic,40285.0.html

Easy test would be to make a different certificate from a completely different CA and see if you can still get in with that.

Oki i have solved it and IT was NOT IPsec problem.

IT was all down to that i HAD NOT set a GW on my access point that i was using to ping test.

I am now going to go an kick my self a bit, but anyway i have hardened my IPsec skills  :P  ;D

Then i dont know