Hello guys,
please a really need a help, even a RTFM (telling which manual) would be much appreciated.
Thanks for your time

Alberto

Same thing happened to me.  I originally set up IPSec via static IPs for Peer and Identifier.  Now I've been messing around with Dynamic DNS service and nothing has been changed in Phase One settings which worked fine before so I am wondering is IPSec not passing the Dynamic IP correctly to the remote site for authentication?

For now I revert back to static IPs until I figure this out.

Just for reference:

My Firewall:

2.0-RC3 (i386)
built on Fri Jul 15 19:39:23 EDT 2011

Remote Site:

WatchGuard XTM510 running 11.4.1 firmware.

Transport is the preferred method and it saves you 20 bytes but since the recommended MTU size is 1400 on both GRE + IPsec (Transport mode) = 1440 and GRE + IPsec (Tunnel mode) = 1420 there is no bigger difference between them.

Just don't forget to set MTU on GRE interface or you will lose data

// rancor

I have noticed that there are some big gaps in the documentation for the Road Warrior IPSec for v 1.2.3 when using it with v 2.0. Obviously I'm aware that this documentation was done specifically for 1.2 but does anyone have any notes on what you need to do different for version 2.0 to get this to work?

It would be a close call on a WRAP. At the very least you need the same tweak to get around the WRAP's ancient BIOS that was required for 1.2.3:

http://doc.pfsense.org/index.php/NanoBSD_on_WRAP

Hi,

this is by design^^ u cant route IPSEC.

What u have to do is to create multiple phase 2 entrys on Pfsense and sarians.

Have a look at this example:

Each Sarian has a IPSEC Tunnel to ur central pfsense. Sarian A cant reach Sarian B network because there is no route.

pfsense
              192.168.5.0
                |           |
                |           |
                |           |
         Sarian A      Sarian B
     192.168.6.0     192.168.7.0

Solution:
IPSEC Tunnel Pfsense <-> sarian A

Pfsense:
add phase 2 like this:

localnet: 192.168.7.0/24
remotenet: 192.168.6.0/24
use same encryption as ur first phase 2 entry.

Sarian A:

i dont know if sarian can have a second phase 2…but u can try to add a second tunnel with the same shared key...this should work.

localnet: 192.168.6.0/24
remotenet: 192.168.7.0/24

IPSEC Tunnel Pfsense <-> sarian B

Pfsense:
add phase 2 like this:

localnet: 192.168.6.0/24
remotenet: 192.168.7.0/24
use same encryption as ur first phase 2 entry.

Sarian B:

i dont know if sarian can have a second phase 2…but u can try to add a second tunnel with the same shared key...this should work.

localnet: 192.168.7.0/24
remotenet: 192.168.6.0/24

At the end create fireweallrules on pfsense to allow traffic between sarian A und B and vice versa...thats it.

If u have many sarians to connect each other u need to combine networks to minimize phase 2 entries otherwise there is much to configure.

good luck

cya

tks jimp,

well…after some troubles, i decide to tryng setup a no-ip service in my cisco router, that's was the only way how i connect with sucess my between cisco router with dynamic ip and my pfsense RC2 box.

So, i stop use Mobile Client feature, and create a solid site to site configuration, setting up the Remote Gateway option as domain.no-ip.org

best regards!

If I were you, I would try ver 2.0 RC3.

part 2:

umts pfsense:

create phase 1
my identifier: keyID tag = <user>preshared key = <userkey>create phase 2

create ipsec  firewallrule:

eg: allow any traffic from central subnet 192.168.1.0/24 to eg. 10.0.1.0/24

ping ur central pfsense lan ip, check ur ipsec logs

If ur umts routers are not pfsense u need to translate these settings. Umts routers need to support nat-t.

cya

</userkey></user>

Got it!
;D
Thanks!

I know you said there's nothing in the firewall logs, but you have explicitly allow the ping packets through on the wan interface with a firewall rule.

I found out that windows firewall restricts windows file sharing ports to the local subnet only by default (in my case anyway).  Just have to change the scope to allow the other subnet accross the vpn to have access and away you go.

Is there a way to test ipsec connectivity without using shrew? I mean, does a telnet on the 500 port suffice to say that the tunnel could be available?
I'm still having this issue and what is strange is that if I configure shrew from a pc behind the firewall, the tunnel is activated. So this means there could be some kind of connectivity problem from the outside world, but as I said, I can ping/ssh/web the firewall from the remote side (the one the tunnel must start from).
Any suggestion?

Thanks

It works fine, you just need a small routing trick.

http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F

We change the bintec on the remote site to pfsense 2.0-RC1 (i386) built on Fri Apr 8 19:08:10 EDT 2011.

I still have issue, not the same but… It seems that when the internet access going down for few second, the IpSEC tunnel going down as weel and cannot go up again.

Here some logs

Jun 23 13:38:19 racoon: ERROR: phase1 negotiation failed due to time up. 053074ceaa752ba7:0000000000000000 Jun 23 13:38:17 racoon: [Portugal]: [Y.Y.Y.Y] INFO: request for establishing IPsec-SA was queued due to no phase1 found. Jun 23 13:38:01 racoon: INFO: delete phase 2 handler. Jun 23 13:38:01 racoon: [Portugal]: [Y.Y.Y.Y] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP Y.Y.Y.Y[0]->X.X.X.X[0] Jun 23 13:37:29 racoon: INFO: begin Aggressive mode. Jun 23 13:37:29 racoon: [Portugal]: INFO: initiate new phase 1 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500] Jun 23 13:37:29 racoon: [Portugal]: INFO: IPsec-SA request for Y.Y.Y.Y queued due to no phase1 found. Jun 23 13:37:19 racoon: ERROR: phase1 negotiation failed due to time up. 65f6398b3e16ea16:0000000000000000 Jun 23 13:37:01 racoon: INFO: delete phase 2 handler. Jun 23 13:37:01 racoon: [Portugal]: [Y.Y.Y.Y] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP Y.Y.Y.Y[0]->X.X.X.X[0] Jun 23 13:36:29 racoon: INFO: begin Aggressive mode. Jun 23 13:36:29 racoon: [Portugal]: INFO: initiate new phase 1 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500] Jun 23 13:36:29 racoon: [Portugal]: INFO: IPsec-SA request for Y.Y.Y.Y queued due to no phase1 found. Jun 23 12:00:21 racoon: [Portugal]: INFO: IPsec-SA expired: ESP/Tunnel Y.Y.Y.Y[500]->X.X.X.X[500] spi=83767616(0x4fe3140) Jun 23 12:00:21 racoon: [Portugal]: INFO: IPsec-SA expired: ESP/Tunnel Y.Y.Y.Y[500]->X.X.X.X[500] spi=183173812(0xaeb02b4) Jun 23 12:00:21 racoon: [Portugal]: INFO: IPsec-SA expired: ESP X.X.X.X[500]->Y.Y.Y.Y[500] spi=167828318(0xa00db5e) Jun 23 12:00:21 racoon: [Portugal]: INFO: IPsec-SA expired: ESP X.X.X.X[500]->Y.Y.Y.Y[500] spi=178809086(0xaa868fe) Jun 23 10:24:15 racoon: [Portugal]: INFO: ISAKMP-SA deleted X.X.X.X[4500]-Y.Y.Y.Y[4500] spi:7411c5a7fa3b7592:fef87f9150e917c6 Jun 23 10:24:15 racoon: [Portugal]: INFO: ISAKMP-SA expired X.X.X.X[4500]-Y.Y.Y.Y[4500] spi:7411c5a7fa3b7592:fef87f9150e917c6

@CMB  Ok.  I have created a new pfsense device strictly for vpn.  I recreated the ipsec config and pointed the local subnet to my external ip address.  I have created only one rule in the Rules\IPSEC (see below).  Is this what you were thinking?

Proto      Source      Port    Destination    Port    Gateway
TCP          *            *      192.168.1.11    *        *

That's not actually an error, it's informational (HEAD of ipsec-tools has finally changed that to show as INFO in the future). You don't have any indication of any real errors there. It's perfectly fine to restart racoon under Status>Services.

Your remote and local networks are overlapping (the /16 includes the /24, the /16 side should really be /24), you can't route between those two subnets as the /16 end sees the remote end as being local, hence will never touch the firewall to route over the VPN.