The flaw is in the iptables implementation.

IPSEC originally uses UDP port P500 and ESP to establish a tunnel. unfortunately the current iptables version implemented in pfsense  is not aware of ESP packets and cannot NAT them. as a result only one connection can utilize them.

once pfsense supports NAT-T your problem will be solved as it encapsulated the ESP packets in a UDP packet and routes them on port 4500.

Apparently they found 2 bug in the cryptographic code. They don't know yet if those bug could be dangerous, but they will hopfully fix those bug  :)

it is working now… IKE service was not started from trace utility, when i started it the tunnel was enabled.

check the following link: http://rolfsa.blogspot.com/2009/07/basic-pfsense-to-pfsense-ipsec-tunnel.html

Still no luck. I am running 5.6.0.5-46o on the SW. The tunnel is active however no traffic is passed. Still getting dropped packets on the SW.

12/16/2010 11:55:15.256 Notice VPN IPSec IPSec (ESP) packet dropped xxx.xxx.xxx.xxx, 0, X1 xxx.xxx.xxx.xxx Inbound: SeqNum=1446931972, SPI=0x4D32000

When I hover over the log record I get 'Message id: 533 Legacy Category: Network Access'

Any luck on your end?

Jimp thanks for the update  ..can you point me where to get the snapshot ..thanks

Hi all!

I had the same situation in Windows XP!
Shrew said "Tunnel enabled" but not a single byte got through.  :(
I solved it by uninstalling shrew and reinstalling ist (v2.1.7).  :o
Obviously, the Vodafone Mobile Connect Software must be installed FIRST and second comes Shrew VPN, otherwise the Vodafone Software won't properly work with Shrew.
I think that I did it the other way round first…

Also, make sure to set the checkbox for the "Shrewsoft Lightweight Filter" VPN-Adapter in the properties of the UMTS Network Card.

Good Luck!  ;D

you actually have 2 issues:
1. encryption, one side is set to use CAST, the other AES
2. authentication hash, one side is set to yous sha, the other md5

you find this in the top two lines of code you pasted.

Hi,

would you share what configuration you used, I'm struggling with a 2800 at the moment?

Cheers!

Found out what the problem was.
My WAN interface is down, and i configered the IPsec tunnel from opt1.
When i Disabled WAN interface my vpn was working :)

Additional observation:
Even though wireless devices can't be seen remotely(thru tunnel), devices that are connected via cat5 directly into the WAP can be seen just fine from remote office(thru tunnel).
Here's a diagram of the local office networking devices:

Circuit
    |
pFsesnse
    |                    cat5                        cat5
24port switch <–----------- WAP--------------------
    |                                    |                              |
workstations                      Wireless devices      Wired devices

The wireless devices from the WAP cannot be seen on network from remote location(thru tunnel).  Wired devices connected to WAP can be seen from remote location(thru tunnel).
Locally, all devices (wired and wireless) can connect to each other.

I was able to solve the problem from this post: http://efwsupport.com/index.php?topic=497.0

@daytron:

Following the RH/Centos doc for establishing a networ-to-network tunnel between two RH/Centos boxes is dead easy. However what is not documented is that by default both AH and ESP encryption are used in stage 2. By default, Endian/openswan only uses ESP encryption.

This also appears to be true for pfSense.

I changed the config of the Centos computer and now the tunnel works.

Centos ipsec config
–-----------------
/etc/sysconfig/network-scripts/ifcfg-ipsec0

TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
AH_PROTO=none
SRCGW=172.20.2.1
DSTGW=172.20.1.20
SRCNET=172.20.2.0/24
DSTNET=172.20.1.0/24
DST=1.1.1.1

You can delete the entry you see, it is not used.

jimp,

Thanks for your reply.

Can you tell me how can I set up this 1:1 or outbound NAT on my IpSec interface ?

Thank you.

Érico

I managed to get this setup so this is what I found

you can use the same ip address for multiple tunnels I have used different keys + identifier for each tunnel I setup a keepalive but not sure if its needed Setup iperf to send as much traffic as possible through all the links for an hour or so and watched to make sure non of the connections dropped. They did about every 6 minutes but came backup within a few seconds which isnt ideal but i can probably cope with.