Yes that is what I meant.
Great to hear it can, I'll configure it!
Thanks

I have dropped trying to connect the USG-100 and Pfsense firewall. The Pfense handles PPTP vpn's and i am not villing to give this feature up.

I was advised not to try v2.0 from the provider of the pfsense appliance due to reported stabitlity issues.

I tried various setteings as per your suggestions, before my initial post.

I ended up buying 2 smb cisco routers for the vpn tunnel instead.

Will look in to posts covering 1 GB WAN IPSEC where i will implement pfsense to pfsense vpn to keep it simpel and cost effective.

That is not NAT-T. That is just plain NAT, which doesn't work with IPsec on pfSense.

NAT-T just lets clients work from behind NAT, it doesn't actually translate addresses.

Hi,

l guess it stop working after expired SA.

-> goto System -> Advanced -> Miscellaneous

Then uncheck "Prefer older IPsec SAs" Option.

What about Ipsec log on pfsense?

cya

That is for failover between nodes of a CARP cluster, not from WAN1 to WAN2.

IN the intrest of completion, I got the two to connect by the folllowing:

Open TCP port 500 on the WAN port of pfSense in the firewall then:

Both:
Phase one Main Mode / Group 2 / 3DES / SHA1

**SonicWall:**Phase two ESP / 3DES / HMAC / SHA1 (PFS Off)

**pfSense:**Phase two ESP / 3DES / Blowfish / SHA1 (PFS Off)

That would be possible with the Cisco as well, you'd just have to add all of the possible network combinations into the ACL for the IPsec config on that end.

Still ugly, but it would work.

If you can't use OpenVPN you might be better off just making tunnels between each router instead of trying to "route" them all through the main office.

Hi,

i got same issue with multiple connection from one site in PSK mode.

u create multible users with preshared keys right? u use different user profiles for connection right?

Racoon dont create new SA when second user connect. So no traffic passes the tunnel.

this worked for me:

Switch to Mutal PSK + xAuth in phase1.

Users are promted for password then, but it works fine.

cya

Hi,

pfsense 1.2.3 dont support nat-t.

Limitations

NAT-T is not supported until version 2.0, which means mobile clients behind NAT are not supported. This limits pfSense's usefulness with mobile IPsec clients. OpenVPN or PPTP is a better solution.

Alternatively use Openvpn or pfsense v2 .

cya

Hi,

ESP Traffic is encapsulated by UDP Port 4500. So ur third rule should be unnecessary.

U can check it by activating logging on third rule. Then u can check firewall log to determine if its really used.

cya

Hi,

u cant use mac filtering on firewall rules. Only captive Portal is macfilter aware.

In ur environment u need to get employees into a range u can use for filterrules.

1. method - easy way

eg. clients that need to reach main office ressources

Static IP or DHCP with reservation within eg 192.168.1.100 -192.168.1.150

-> create Firewall Alias (IP Range)
-> then allow alias to pass traffic to ur main office.

This solution doesnt prevent users to change IP and get access to main office. So u need to restrict users that they can not change ip address.

2. method - hard way - higher administrative effort

Use vlans and get special employees into another subnet.
This require vlan aware network devices and  lan adapter on clientside.

Alternatively u can use port-based vlan if only ur switches support vlans. Use additional dhcp with MAC to IP assignments (Reservation) -> only special employees get an IP address, others get nothing on networkport that belong to special subnet. But then u need to make sure special employees use always the same network socket to reach main office.

-> configure pfsense with vlans (setup vlan trunk to network switch) or use second network port on pfsense for vlan that is allowed to reach main office.
-> create rule for vlan subnet to pass traffic to main office

cya

Oh in that case if you only need to get from site A to site B and site A to site C, and you can setup your IPsec as such that it looks to your firewall that they're two different subnets, that will work. It may also work with a /24 on one of them and a smaller subnet on the other, only if the other one comes first. That could lead to unpredictable results though, I wouldn't recommend it.

Aren't you getting any clues from Status - System Logs - Firewall or IPsec VPN?

I had a PPTP rule that was deleted - i could make a PPTP connection but all acces to LAN was blocked and traceable in system logs.

Thanks, this is what I needed to know. I downloaded v2 and have not yet installed it. I like the nat-t support and the ability to add more than 1 phase 2. Thanks again

The default transparent proxy rules for that will not catch traffic coming across IPsec, only in LAN or whatever interfaces are selected in the squid GUI.

Looks like the new version of the Shrew Soft client will support this, judging by the changelog.

http://www.shrew.net/download/changelog/vpn/2.2.0-beta-1